Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

WiredRed EPOP XSS Vulnerability

From: Adrian Castro <acastro () linuxquestions net>
Date: Wed, 8 Feb 2006 00:01:20 -0800 (PST)
WiredRed EPOP XSS Vulnerability

     ---Summary---

     Software  Affected: EPOP  WebConference  Server
     Software Versions:  4.1.0.755
     Vendors URL:        www.wiredred.com
     Vulnerability Type: Cross Site Scripting
     Proof of Concept:   An exploit is not required
     Threat Level:       Low

     ---Product Description---

     e/pop from WiredRed provides a complete solution for all of your      real-time communications requirements: web 
and desktop video conferencing, secure IM and alert messaging. As a user, you'll love the hassle free interface and 
breadth of options that will enhance your training, sales and collaboration.

    ---Vulnerability Description---

     When creating public or private conferences in e/pop server, the topic name is not properly sanitized.  This 
allows for a xss attack in which every user who visits the root (login) page for the e/pop web server can be fooled 
into entering their login information on a remote server among other things.  By default, e/pop is enabled without or 
with optional SSL connections to the web server.  Any standard authenticated user can perform this attack on all other 
users or visitors of the web server.

   ---Solution---

   None at this time.

   ---credit---

   Adrian Castro



_____________________________________________________________
Thank you for choosing LinuxQuestions.
http://www.linuxquestions.org
Previous By Date Next
Previous By Thread Next

Current thread: