|
|
| |
| "Livelink features several advanced foundational elements that allow organizations to rapidly and easily enable advanced content management applications and solutions throughout the enterprise." Livelink fails to auto-set the charset in the HTTP response header or in the HTML body. |
| |
Credit:
The information has been provided by David Kierznowski.
The original article can be found at: http://withdk.com/archives/livelink-utf7-xss-advisory.pdf
|
| |
Vulnerable Systems:
* Livelink version 9.0.0
* Livelink version 9.1.0
* Livelink version 9.5.0
A vulnerability in Livelink makes it possible to trick several browsers into decoding Livelink pages in UTF-7. This allows attackers to inject arbitrary UTF-7 JavaScript into dynamic content that is echoed back to the user's browser.
Disclosure information:
18/Jan/2008: Disclosed to vendor
25/Jan/2008: New version will auto-select UTF-8 encoding if one is not used.
31/Jan/2008: Advisory released
|
|
|
|
|
