Bugtraq mailing list archives
Re: Cross-site scripting vulnerability in SARA v<=4.2.7
From: bugtraq () saintcorporation com
Date: Thu, 18 Dec 2003 18:13:06 -0500 (EST)
On Thu, 18 Dec 2003, toddr arc com wrote:
1. CSS: Tom indicates that SATAN and older versions of SAINT are not vulnerable to CSS. Tom is incorrect as all used the SATAN engine which did not tranlate "<" and ">" to their html codes "<" and "> I suspect that SAINT has fixed it, SARA has, but SATAN has not.
I disagree. Tom's original posting seems correct. Although SARA, SAINT, and SATAN all use an http engine derived from the same code, this specific vulnerability arises from code introduced in SARA which was not part of SATAN or SAINT (from sara_run_action.pl): $debug="ON" if ! $daemon; $debug="" if $daemon; select CLIENT; This block of code enables debugging whenever a scan runs in non-daemon (standalone) mode and redirects the debugging output to the browser, which, prior to 5.0.0, could include service banners containing script tags. And, in any case, worthwhile security ideas should not be discouraged. If every vulnerability posting were considered a "complaint" by the respective vendor, this list would become a very unfriendly environment for sharing security concerns. -- Sam Kline Chief Development Engineer SAINT Corporation
Current thread:
- Cross-site scripting vulnerability in SARA v<=4.2.7 Thomas M. Payerle (Dec 17)
- <Possible follow-ups>
- Re: Cross-site scripting vulnerability in SARA v<=4.2.7 toddr (Dec 18)
- Re: Cross-site scripting vulnerability in SARA v<=4.2.7 bugtraq (Dec 19)