Tuesday, 25 September 2007

Freeside XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 September 2007
vendor:www.sisd.com
affected versions:Freeside v1.7.2
other versions also can be affected.
###############################################

Freeside contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "failed" parameter in "search/cust_bill_event.cgi" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################

2 comments:

ivan said...

Hello,

A hotfix for 1.7.2 for this XSS issue was checked into our CVS repository on October 2nd and may be downloaded from
http://www.sisd.com/cgi-bin/viewvc.cgi/freeside/httemplate/search/cust_bill_eve$

This issue is also corrected in the upcoming 1.7.3 and 1.9.0 releases.

As the vendor of the product in question, I'd like to express my
dissapointment that we were never contacted about this vulnerability,
either before, or, at the very least, at the same time as public release. Extremely disappointing and unprofessional handling of this from
"r0t" and "pridels-team".

Ivan Kohler
President, Chief Geek and Janitor
Freeside Internet Services, Inc.

ivan said...

(corrected URL)

Hello,

A hotfix for 1.7.2 for this XSS issue was checked into our CVS
repository on October 2nd and may be downloaded from
http://www.sisd.com/cgi-bin/viewvc.cgi/freeside/httemplate/search/cust_bill_event.cgi?r1=1.12&r2=1.12.2.1&pathrev=FREESIDE_1_7_BRANCH&view=patch

This issue is also corrected in the upcoming 1.7.3 and 1.9.0 releases.

As the vendor of the product in question, I'd like to express my
dissapointment that we were never contacted about this vulnerability,
either before, or, at the very least, at the same time as public
release. Extremely disappointing and unprofessional handling of this
from "r0t" and "pridels-team".

Ivan Kohler
President, Chief Geek and Janitor
Freeside Internet Services, Inc.