I just upgraded from g to h - I have run a bunch of tests and have rooted around my admin with no problems yet.
Until now:
Enter Who's Online and I get the popup.
Message from Website
struts_sa_surl_xss.nasl
Then I click OK a number of times and then it is gone.
Also I have about 213 customers in the site all the same?
Does anyone have any ideas where I might have screwed things up?
Thought I had uploaded the files meticulously.
Thread: Who' online
Results 1 to 6 of 6
-
19 Feb 2011, 02:19 AM #1
Totally Zenned
- Join Date
- Jun 2009
- Location
- Des Moines, Iowa USA
- Posts
- 580
- Plugin Contributions
- 0
Who' online
-
19 Feb 2011, 03:49 PM #2
Past Contributor
- Join Date
- Nov 2004
- Location
- Norfolk, United Kingdom
- Posts
- 3,036
- Plugin Contributions
- 2
Re: Who' online
From this address:Family CGI abuses : XSS
Nessus Plugin ID 38208 (struts_sa_surl_xss.nasl)
Bugtraq ID 34686
CVE ID CVE-2008-6682
Description:
Synopsis :
The remote host is running a web application with multiple cross-site
scripting vulnerabilities.
Description :
The web application on the remote host is vulnerable to cross-site
scripting attacks. This is likely due to a vulnerable version of
Apache Struts that fails to properly encode the parameters in the
's:a' and 's:url' tags.
A remote attacker could exploit this by tricking a user into
requesting a page with arbitrary script code injected. This could
have consequences such as stolen authentication credentials.
See also :
https://issues.apache.org/jira/browse/WW-2414
https://issues.apache.org/jira/browse/WW-2427
http://www.nessus.org/u?ed70fe34
Solution :
Upgrade to Struts version 2.1.1 / 2.0.11.1 or later.
Risk factor :
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I
/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true
http://www.nessus.org/plugins/index....ingle&id=38208
Vger
-
19 Feb 2011, 04:45 PM #3
Totally Zenned
- Join Date
- Jun 2009
- Location
- Des Moines, Iowa USA
- Posts
- 580
- Plugin Contributions
- 0
Re: Who' online
Oh thank you Vger
I did some checking this morning and it so happens that my scanning company was running a PCI compliance scan at the same time I was doing all my test - how is that for coincidence? Thank you for solve the issue -
-
20 Feb 2011, 01:13 AM #4
New Zenner
- Join Date
- May 2010
- Location
- Barendrecht, Netherlands
- Posts
- 20
- Plugin Contributions
- 0
Re: Who' online
Just so you know, you should disable the "Who's online" module because it really does contain a XSS vulnerability! I reported this on december 22th, 2010 in the "Reports of Security Problems"-forum, but no-one even responded!
rros
blis.biz BLiS Innovatieve Internet Oplossingen
-
20 Feb 2011, 02:16 PM #5
Past Contributor
- Join Date
- Nov 2004
- Location
- Norfolk, United Kingdom
- Posts
- 3,036
- Plugin Contributions
- 2
Re: Who' online
If people are using 1.3.9h then it should not conain any known XSS vulnerabilities. If they are still using .3.8 or earlier then of course they are in trouble.
Vger
-
25 Feb 2011, 02:54 AM #6
Totally Zenned
- Join Date
- Jun 2009
- Location
- Des Moines, Iowa USA
- Posts
- 580
- Plugin Contributions
- 0
Re: Who' online
I passed my scan with flying colors - they had an issue with the inconsistent error messages when a folder was not available but that was sovled thru my server.
Reply With Quote
Similar Threads
-
Who's Online
By Fancyfrills in forum Managing Customers and OrdersReplies: 3Last Post: 13 Nov 2012, 06:53 PM -
who's online
By raf696 in forum General QuestionsReplies: 2Last Post: 19 Nov 2011, 12:24 PM -
Who's Online
By crichw in forum General QuestionsReplies: 1Last Post: 8 Sep 2009, 08:29 PM -
Who's Online - User gone, but Admin says online
By johnd in forum General QuestionsReplies: 2Last Post: 23 Sep 2007, 01:57 AM -
Who is online...side admin vs online group pricing mod
By csfound in forum General QuestionsReplies: 8Last Post: 18 Jul 2007, 04:27 AM
Bookmarks