← Advisories

Embedthis Appweb Web Server 3.2.2-1 (Ejscript) Remote XSS Vulnerability

Medium
Advisory ID
ZSL-2010-4985
Release Date
23 December 2010
Vendor
Embedthis Software LLC - http://www.appwebserver.org
Affected Version
3.2.2-1
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

Appweb has a multi-threaded, event-driven, core to deliver exceptional throughput, response and outstanding memory utilization. It is compact and will embed using as little as 800K of memory. Appweb is a standards-based embedded HTTP server that has a wealth of features.

Description

Appweb Web Server suffers from a remote reflected Cross-Site Scripting vulnerability when input passed to the Ejscript web framework is not properly sanitized, allowing the attacker to execute arbitrary HTML and script code in a user's browser session and aid in phishing attacks.

Proof of Concept
appweb_xss.txtTXT
Disclosure Timeline
12.10.2010Vulnerability discovered.
12.11.2010Contact with the vendor.
12.11.2010Vendor replies asking more details.
13.11.2010Sent detailed description of the vulnerability to the vendor.
15.11.2010Working with the vendor.
22.11.2010Vendor plans a fix in version 3.2.3.
23.12.2010Vendor releases patch: http://appwebserver.org/downloads/appweb/download.php
23.12.2010Coordinated public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Michael O'Brien
References
[1]http://appwebserver.org/products/appweb/doc/product/changeLog.html#r3.2.3
[2]http://appwebserver.org/forum/viewtopic.php?f=1&t=1894
[3]http://secunia.com/advisories/42739/
[4]http://www.secuobs.com/revue/news/273977.shtml
[5]http://www.securityfocus.com/bid/45568
[6]http://securityreason.com/wlb_show/WLB-2010120116
[7]http://osvdb.org/show/osvdb/70086
[8]http://packetstormsecurity.org/files/97005
Changelog
23.12.2010Initial release
24.12.2010Added reference [3], [4] and [5]
25.12.2010Added reference [6], [7] and [8]