Turbo Traffic Trader C multiple scripts cross-site scripting

turbotraffictraderc-multiple-xss (16164) The risk level is classified as MediumMedium Risk

Description:

Turbo Traffic Trader C is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the administrative interface. A remote attacker could create a specially-crafted URL request to multiple scripts, which would be executed in the victim's Web browser within the security context of the host, once the link is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. If a Web site has trades signup enabled, the attacker could steal the administrative authentication cookie, which would allow the attacker to hijack an administrator's session.

Platforms Affected:

  • Turbo Traffic Trader, Turbo Traffic Trader C

Remedy:

No remedy available as of June 27, 2009.

Consequences:

Gain Access

References:

  • BugTraq Mailing List, Sun May 16 2004 - 21:46:11 CDT , Multiple TTT-C XSS vulnerabilities at http://archives.neohapsis.com/archives/bugtraq/2004-05/0156.html.
  • TurboTrafficTrader Web site, TurboTrafficTrader - Part of Total Traffic System at http://www.turbotraffictrader.com/.
  • BID-10359: TurboTrafficTrader C Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
  • CVE-2004-2017: Multiple cross-site scripting (XSS) vulnerabilities in Turbo Traffic Trader C (TTT-C) 1.0 allow remote attackers to inject arbitrary HTML or web script, as demonstrated via (1) the link parameter to ttt-out, (2) the X-Forwarded-For header in a GET request to ttt-in, (3) the Referer header in a GET request to ttt-in, or the (4) site name or (5) site URL fields in the main control panel.
  • OSVDB ID: 6339: TTT-C ttt-out Link Variable XSS
  • OSVDB ID: 6340: TTT-C alert.php Multiple Variable XSS
  • OSVDB ID: 6341: TTT-C Edit Panel Script Site Name Variable XSS
  • OSVDB ID: 6342: TTT-C Edit Panel Script Site URL Variable XSS
  • OSVDB ID: 6343: TTT-C Edit Panel Script Webmaster ICQ Variable XSS
  • OSVDB ID: 6344: TTT-C Edit Panel Script Webmaster Email Variable XSS
  • SA11623: TTT-C Multiple Vulnerabilities

Reported:

May 16, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page