WebApp Sec mailing list archives
Praetorian Advisory: Reflective XSS in Alkaline Search Engine Server
From: Praetorian Advisories <advisory () praetoriangrp com>
Date: Wed, 10 Feb 2010 11:26:01 -0600
Advisory Title: Reflective XSS in Alkaline Search Engine Server Release Date: 02-10-2010 Vendor: Vestris, Inc. Application: Alkaline Search Engine Server Version: 1.9 Overview: Alkaline is a multi-platform, all-in-one index and search engine server. Details: The web interface for the Alkaline Search Engine Server does not validate user input or sanitize its output prior to display in the viewing page. Subsequently, a malicious user can use the Alkaline server to perform unauthenticated, reflective cross-site scripting attacks by passing arbitrary scripting content in the request which the server will display verbatim in the error message it returns. Example: http://somealkalineserver.com:<9999>/<script>alert('test');</script>/a Vendor Response: The vendor, Vestris Inc, has been contacted on the matter and stated both the software and the company are no longer in operation. Alkaline version 1.9 is the last release of the product and no patches will be made available for this or any other vulnerability. According to the company's website "Vestris is gone, but we're giving it all away for free. You can download software from this page..." Although the product has reached end of life, the software is still available for download and has been identified in DMZ environments. For these reasons, value is still seen in disclosure. Recommendation: Given the state of the software, end users should ascertain whether instances identified in their environment still have a legitimate purpose and discontinue servers appropriately. Cursory review suggests several other vulnerabilities are present in the product, but an in-depth analysis has not been performed. For more information please visit http://www.praetoriangrp.com or email research () praetoriangrp com Praetorian General PGP Key: http://www.praetoriangrp.com/praetorian.asc This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Praetorian Advisory: Reflective XSS in Alkaline Search Engine Server Praetorian Advisories (Feb 10)