[VIM] StaticStore XSS - Vendor disputes, but I dispute the dispute

Stuart Moore smoore at securityglobal.net
Sat Dec 17 20:39:53 EST 2005 

Steve,

It seems that the vendor may have fixed at least part of their demo 
site.  But the search script that is part of the administrative 
interface demo is still vulnerable:

http://www.staticstore.com/cgi-bin/demo/admin/admin11.cgi?keywords="><script>alert(String.fromCharCode(88,83,83))</script>

The code escapes the single quote character, so some minor trickiness is 
required.

I wouldn't ordinarily have wasted my time on this, but references to 
attorneys are usually a sure sign of problems in the code and are 
annoying for sure.

Stuart


Steven M. Christey wrote:
> I sent StaticStore a request to acknowledge the XSS issue as reported
> by r0t in StaticStore Search Engine 1.189A for search.cgi.
> 
> The vendor disputed saying "No, it is not accurate - please show me
> proof of the vulnerability.  If your site cannot show proof, I would
> appreciate you removing the misinformation from your site.  If this is
> not done by the first day of next week I will be forced to contact
> both Blogger and ask our attorney to handle this matter."
> 
> Since the vendor requested proof, I showed how a basic XSS injection
> was possible on the demo site.  I also informed the vendor about how
> XSS is number 4 on OWASP's "Top Ten Web Application" vulnerabilities
> list, and that best practices - as advocated by the National
> Infrastructure Advisory Council's "Vulnerability Disclosure Framework"
> - requires a security response contact, which StaticStore did not
> have, forcing me to contact a sales address.
> 
> I am now patiently awaiting response.
> 
> Can anyone else confirm that this issue is real?
> 
> - Steve
> 
> 
> ======================================================
> Name: CVE-2005-4284
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4284
> Reference: MISC:http://pridels.blogspot.com/2005/12/staticstore-search-engine-friendly-e.html
> Reference: BID:15895
> Reference: URL:http://www.securityfocus.com/bid/15895
> Reference: FRSIRT:ADV-2005-2915
> Reference: URL:http://www.frsirt.com/english/advisories/2005/2915
> Reference: SECUNIA:18037
> Reference: URL:http://secunia.com/advisories/18037
> 
> ** DISPUTED **
> 
> Cross-site scripting (XSS) vulnerability in StaticStore Search Engine
> 1.189A and earlier allows remote attackers to inject arbitrary web
> script or HTML via unspecified parameters to search.cgi, possibly the
> keywords parameter.  NOTE: this issue has been disputed by the vendor,
> saying "No, it is not accurate - please show me proof of the
> vulnerability.  If your site cannot show proof, I would appreciate you
> removing the misinformation from your site.  If this is not done by
> the first day of next week I will be forced to contact both Blogger
> and ask our attorney to handle this matter."  CVE then provided the
> vendor with concrete proof that the issue is real.  CVE is now
> awaiting a response.
> 
> 
> 

-- 
Stuart Moore
SecurityTracker.com
SecurityGlobal.net LLC
smoore at securityglobal.net
+1 301 495 5930 voice
+1 413 691 4346 fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: staticcart xss.jpg
Type: image/jpeg
Size: 53226 bytes
Desc: not available
Url : http://www.attrition.org/pipermail/vim/attachments/20051217/20188edf/staticcartxss-0001.jpg

More information about the VIM mailing list