Zeus Web Server Admin Interface Cross Site Scripting Vulnerability

On November 9th 2002, a cross-site-scripting attack against the Zeus Administration Server was reported on bugtraq (incident "Zeus Web Server Admin Interface Cross Site Scripting Vulnerability").

Zeus Technology has investigated this report and confirm that a harmless cross-site-scripting exploit is possible under very limited conditions. If an attacker tricked a Zeus Administrator into following a carefully constructed link when logged into the Administration Server, the attacker could retrieve a list of group names, and monitored variable names and machines. This information is not security-sensitive. Zeus Technology agree with the reporter's assessment that the risk is 'very low'.

This vulnerability is present in Zeus Web Server 4.0 and 4.1. It has been resolved in Zeus Web Server 4.1r5 (released 19th Nov. 2002) and Zeus Web Server 4.2 (released 21st Nov. 2002).

More details

This exploit can be used to retrieve any information stored in cookies by the Zeus Administration Server. To mount an attack, an attacker must have prior knowledge of the host and port that the Administration Server is running on, and must trick a Zeus Administrator into following a carefully constructed link when logged into the Administration Server.

The Zeus Administration Server uses cookies to record several items of transient state: the state of the folding list of groups of virtual servers, and the list of currently monitored variables and machines if real-time monitoring is in place. It does not use cookies to store any security-sensitive information, such as usernames or passwords.

Zeus Technology continue to advise that the Administration Server is shut down when not in use as a matter of routine. Zeus Technology do not believe that this vulnerability is serious enough to merit upgrading to versions 4.1r5 or 4.2.

Zeus Technology work closely with customers, evaluators, security professionals and other researchers to ensure its products are secure and free from defects. Any security-related comments received at security@zeus.com, or through any other means are treated with the utmost attention. Zeus Technology regret that the researcher who discovered this exploit did not make any attempt to contact the vendor at any time.

Content Manager [Administrator] 21 November 2002  Permalink  
Download Free Trial

Recent Articles

Other Resources



www.zeus.com

powered by
b2evolution
The ZWS Online Support service is provided as is, without warranty or specific endorsement by Zeus Technology. For technical support queries, please contact Zeus Technical Support. Articles and comments may not reflect the views of Zeus Technology.  •  Disclaimer and Privacy statement.