[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Zeus Admin Server v4.1r2 index.fcgi XSS bug
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: Zeus Admin Server v4.1r2 index.fcgi XSS bug
product: Zeus Admin Server v4.1r2 for linux/x86
vendor: http://www.zeus.co.uk
risk: very low (authorisation required)
date: 11/8/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory urls: http://f0kp.iplus.ru/bz/007.txt
http://xakep.host.sk/bz/007.txt
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
description
-----------
in default Zeus installation, you can to access
management interface via http://hostname:9090.
[you have to enter correct login/password here]
there is some general script, that contain xss bug.
btw, default management login is `admin'..
sample attack
-------------
http://hostname:9090/apps/web/index.fcgi?servers=
§ion=<script>alert(document.cookie)</script>
[it must be in a single string]
shouts: HACKRU Team, DHG, Spoofed Packet, all russian security guyz
fuck_off: slavomira and other dirty ppl in *.kz
================
im not a lame,
not yet a hacker
================