SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Escapade Vendors:  Squished Mosquito, Inc.
Escapade Input Filtering Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007666
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 9 2003
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Description:  An input validation vulnerability was reported in Escapade. A remote user can conduct cross-site scripting attacks. A remote user can also determine the installation path.

It is reported that the software does not filter HTML code from user-supplied input when displaying the user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Escapade software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/cgi-bin/esp?PAGE=<script>alert(document.domain)</script>

A remote user can reportedly request a non-existent page (or other invalid variables) to cause the system to return an error message that displays the installation path. A demonstration exploit URL is provided:

http://[target]/cgi-bin/esp?PAGE=!@#$%

The vendor has reportedly been notified.
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Escapade software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.escapade.org/ (Links to External Site)
Cause:  Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Bahaa Naamneh <b_naamneh@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  9 Sep 2003 15:38:20 -0000
From:  Bahaa Naamneh <b_naamneh@hotmail.com>
Subject:  Escapade Scripting Engine XSS Vulnerability and Path Disclosure

 



Escapade Scripting Engine XSS Vulnerability and Path Disclosure


Published: 9 September 2003

Released: 9 September 2003

Affected Systems: Escapade Scripting Engine

Vendor: http://www.escapade.org , http://www.squishedmosquito.com

Issue: Remote attackers can inject XSS script and know the path of the 
site. 


Description:
============
Escapade, or ESP for short, is a server-side scripting language that 
provides an interface to back-end database contents. Specifically 
designed to create dynamic information from this data, Escapade can be 
used to generate any kind of document - HTML, XML, text, and more. 
While server-side scripting is not a new concept, ESP is a breakthrough 
product that will enable programmers to much more easily have access to 
data in databases in their web pages without having to resort to ASP or 
complicated back-end Perl or PHP scripts. 


Details:
========
It's possibile to inject XSS script in the method variable. 

Example: 

http://www.site.com/cgi-bin/esp?PAGE=&lt;script&gt;alert(document.domain)
&lt;/script&gt;

It's possible to make a malformed http request for many variables in 
Escapade and in doing so trigger an error. The resulting error message 
will 
disclose potentially sensitive installation path information to the 
remote attacker. 

Example:

http://www.site.com/cgi-bin/esp?PAGE=!@#$%


Solution:
=========
The vendor has been contacted and a patch is not yet produced.


Suggestions:
============
Filter the method variable (xss problem), filter all variables. 


Discovered by / credit:
=======================
Bahaa Naamneh
b_naamneh@hotmail.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC