Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
From: Ansgar Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
Date: Thu, 26 Feb 2009 22:15:50 +0100
In-reply-to: <948742514.20090226214628@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <310590197.20090226194050@xxxxxxx> <948742514.20090226214628@xxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.13 (2006-08-11)

On 2009-02-26 Vladimir '3APA3A' Dubrovin wrote:
> --Thursday, February 26, 2009, 7:40:50 PM, you wrote to 
> bugtraq@xxxxxxxxxxxxxxxxx:
> DSRG> Application:       APC PowerChute Network Shutdown's Web Interface
> DSRG> Vendor URL:        http://www.apc.com/
> DSRG> Bug:               XSS/Response Splitting
> 
> DSRG> Solution:          Use Firewall
> 
> Just wonder: how can firewall to protect against XSS/response splitting?

You don't give the bad guys access to your UPS's web interface?

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Follow-Ups:
- Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
  - From: Vladimir '3APA3A' Dubrovin

References:
- [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
  - From: Digital Security Research Group
- Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
  - From: Vladimir '3APA3A' Dubrovin

Prev by Date: ANNOUNCE: RFIDIOt-0.1x release - February 2009
Next by Date: Re: New site about security conferences : www.security-briefings.com
Previous by thread: Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Next by thread: Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Index(es):
- Date
- Thread