SecurityFocus

Zeus Admin Server v4.1r2 index.fcgi XSS bug Nov 08 2002 07:39PM
euronymous (just-a-user yandex ru) (1 replies)

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: Zeus Admin Server v4.1r2 index.fcgi XSS bug
product: Zeus Admin Server v4.1r2 for linux/x86
vendor: http://www.zeus.co.uk
risk: very low (authorisation required)
date: 11/8/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory urls: http://f0kp.iplus.ru/bz/007.txt
http://xakep.host.sk/bz/007.txt
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

description
-----------
in default Zeus installation, you can to access
management interface via http://hostname:9090.

[you have to enter correct login/password here]

there is some general script, that contain xss bug.
btw, default management login is `admin'..

sample attack
-------------
http://hostname:9090/apps/web/index.fcgi?servers=
&section=<script>alert(document.cookie)</script>

[it must be in a single string]

shouts: HACKRU Team, DHG, Spoofed Packet, all russian security guyz
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================

[ reply ]

Re: Zeus Admin Server v4.1r2 index.fcgi XSS bug Dec 11 2002 11:40AM
Colin Watson (colinw zeus com)