Instant Virtual Extranet (IVE) CGI script cross-site scripting

ive-cgi-xss (11997) The risk level is classified as MediumMedium Risk

Description:

Instant Virtual Extranet (IVE) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could embed malicious script within a URL request to a specific CGI script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. An attacker could use this vulnerability to hijack the victim's session.

Platforms Affected:

  • Neoteris, Instant Virtual Extranet (IVE) 3.01 and prior

Remedy:

Upgrade to the latest version of IVE (3.1 or later), available from the Neoteris Support Web page. See References.

—OR—

Apply the patch for this vulnerability, available from the Neoteris Support Web page. See References.

Consequences:

Gain Access

References:

  • BugTraq Mailing List, Mon May 12 2003 - 22:49:58 CDT , XSS In Neoteris IVE Allows Session Hijacking at http://archives.neohapsis.com/archives/bugtraq/2003-05/0130.html.
  • Neoteris Support Web site, Neoteris Support and Partner Site at https://support.neoteris.com.
  • BID-7510: Neoteris Instant Virtual Extranet Cross Site Scripting Session Hijacking Vulnerability
  • CVE-2003-0217: Cross-site scripting (XSS) vulnerability in Neoteris Instant Virtual Extranet (IVE) 3.01 and earlier allows remote attackers to insert arbitrary web script and bypass authentication via a certain CGI script.

Reported:

May 12, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page