RemotelyAnywhere HTTP Service /img/ XSS
Date:
2008/03/11
1) There is a service 'RAMaint' (a watchdog task). It runs as LocalSystem
(doesn't everything?!) and uses an unsafe (unquoted - c:\program.exe) path
in versions earlier than v8. v8 and onwards uses an absolute path.
2) There is an XSS in the RemotelyAnywhere HTTP service, which you can use
to steal cookies. Of course, you need to entice your target to visit the
address and send the cookie somewhere.
/img/<script>alert(document.cookie);</script>.html
The error is interpreted by the browser as text/html.
Credit:
Patrick Webster
2008/03/11
1) There is a service 'RAMaint' (a watchdog task). It runs as LocalSystem
(doesn't everything?!) and uses an unsafe (unquoted - c:\program.exe) path
in versions earlier than v8. v8 and onwards uses an absolute path.
2) There is an XSS in the RemotelyAnywhere HTTP service, which you can use
to steal cookies. Of course, you need to entice your target to visit the
address and send the cookie somewhere.
/img/<script>alert(document.cookie);</script>.html
The error is interpreted by the browser as text/html.
Credit:
Patrick Webster
