Reported July 17, 2002, by Peter Gründl.
VERSION AFFECTED
-
Macromedia Sitespring 2.0 for Windows 2000 Server
DESCRIPTION
A cross-site scripting vulnerability exists in the default error page
of Macromedia’s Sitespring. Because the default
HTTP 500 error script doesn't check the contents of the error ticket parameter
before outputting it, an attacker can inject JavaScript into the URL.
VENDOR RESPONSE
The vendor, Macromedia, hasn't released a fix for this vulnerability, but affected users can work around the problem by replacing the default HTTP 500 error page with a custom page.
CREDIT
Discovered by Peter
Gründl.
0 comments
Hide comments