Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability

To: Ansgar Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
Subject: Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
Date: Fri, 27 Feb 2009 09:38:20 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20090226211550.GA29752@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <310590197.20090226194050@xxxxxxx> <948742514.20090226214628@xxxxxxxxxxxxxxxx> <20090226211550.GA29752@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>

Dear Ansgar Wiechers,

--Friday, February 27, 2009, 12:15:50 AM, you wrote to 
bugtraq@xxxxxxxxxxxxxxxxx:

>>
>> Just wonder: how can firewall to protect against XSS/response splitting?

AW> You don't give the bad guys access to your UPS's web interface?

In  case  of  non-persistant XSS, form redirection or response splitting
it's  YOU  are  the bad guy who accesses UPS's web interface and another
bad  guy  can shutdown your UPS by forcing your browser to send required
request to UPS.

-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/

References:
- [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
  - From: Digital Security Research Group
- Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
  - From: Vladimir '3APA3A' Dubrovin
- Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
  - From: Ansgar Wiechers

Prev by Date: Re: BitDefender Internet Security XSS
Next by Date: djbdns misformats some long response packets; patch and example attack
Previous by thread: Re: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Next by thread: Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Index(es):
- Date
- Thread