Cross-Site Scripting (XSS) in IDLogger website statistics version 7.7
------------------------------------------------------------------------
Cross-Site Scripting (XSS) in IDLogger website statistics version 7.7
------------------------------------------------------------------------
Author: Audun Larsen (larsen at xqus dot com)
Date: August 13, 2009
--AFFECTED SOFTWARE--------------------------
Name: IDLogger
Version: 7.7
Website: http://www.idlogger.com
Vendor description:
The InDoorsLogger offers webmasters full realtime logging and
monitoring of their websites. Our powerfull invisible web
tracking system will monitor and record all your website
visitors and let you see exactly what your users are doing
on your website while they are surfing it.
--DISCUSSION---------------------------------
InDoors logger is vulnerable to a persistent
Cross-Site Scripting attack. The problem exists because of the lack
of properly escaping the HTTP-referer header before displaying it
on the "Detailed Statistics" page.
--EXPLOIT------------------------------------
To exploit the vulnerability send a HTTP request to a site with
IDLogger installed with the following HTTP header
Referer: http://www.example.com/?=">
--DISCLAIMER---------------------------------
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.
Copyright © 2009 Audun Larsen, some rights reserved:
http://creativecommons.org/licenses/by-sa/3.0/
Search
Archive
- December 2011 (5)
- August 2011 (1)
- July 2011 (2)
- March 2011 (1)
- February 2011 (2)
- January 2011 (1)
- August 2009 (3)
- January 2009 (3)
- December 2008 (3)
- September 2008 (1)
User login
