OSVDB ID: 62289

Title: Accellion File Transfer Appliance Web Interface Audit Log username Parameter XSS

Info

Disclosure

Nov 04, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

The Accellion File Transfer Appliance contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the username parameter upon submission to the login script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server when a failed login attempt is displayed in the audit log page accessed by administrative users.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Disclosure: Vendor Verified, Vendor Verified, Coordinated Disclosure
OSVDB: Web Related

Solution

Upgrade to version 7_0_296 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Accellion

Secure File Transfer Appliance

FTA_7_0_259

References

CVE ID: 2009-4647 (see also: NVD)
Bugtraq ID: 38176
Secunia Advisory ID: 38522
ISS X-Force ID: 56247
Other Solution URL: http://www.nth-dimension.org.uk/downloads.php?id=67
Generic Exploit URL: http://www.nth-dimension.org.uk/downloads.php?id=68
Other Advisory URL: http://www.portcullis-security.com/339.php

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/62289