Dr. Web Control Center Admin UI Remote Script Code Injection ============================================================= Affected Products/Versions -------------------------- Product Name: Dr. Web Enterprise Server Version Number: 6.00.3.201111300 Product/Company Information --------------------------- >From Dr. Web's website: "Dr.Web Enterprise Security Suite is a set of Dr.Web software products incorporating anti-viruses for protection of all hosts in a corporate network and a single Control Center for managing most of the products." Dr. Web's Website can be found at http://www.drweb.com Vulnerability Description ------------------------- Dr. Web Enterprise Security Suite is managed via a web based interface called Control Center. If an attacker suplies java script code instead of a username on the login page, this script code will be automatically executed every time an administrative user is viewing the audit log. This attack can be used to steal authentication cookies or to drive further attacks. Patch Information ----------------- Patch is available from vendor. Advisory Information --------------------- This: http://www.oliverkarow.de/research/drweb.txt History ------- 13/07/2012 - Informing Dr. Web about vulnerability 16/07/2012 - Initial response from Dr. Web 23/07/2012 - Fix successfully tested, sent response to Dr. Web 30/07/2012 - Advisory releaseБрой прочитания на тази страница: 1412
Dr. Web Control Center 6.00.3.201111300 XSS Vulnerability