Vulnerabilities 2005 Banner
Friday 21 November 2008

PR04-12: Ringtail Casebook 6.1.0 Cross-Site Scripting vulnerability

Ringtail CaseBook version 6.1.0 (and possibly earlier versions) are vulnerable to Cross Site Scripting in the 'users' variable in the login.asp program.

Date Found: 7th April 2004

Date Public: 1st November 2005 (see notes)

Vulnerable: Ringtail CaseBook version 6.1.0 and possibly earlier versions

Severity: High

Authors: Gemma Hughes of ProCheckUp Ltd

Description:

Ringtail CaseBook version 6.1.0 and possibly earlier versions are vulnerable to Cross Site Scripting attacks in the 'users' variable, passed to the file login.asp as part of an HTTP GET request. A malicious attacker could cause the execution of HTML or script code in the browser of an individual who clicks on a link to a site using the vulnerable version of Ringtail CaseBook.

The exploit code for this vulnerability has been withheld while clients consult the vendor to resolve the issue.

Notes:

This advisory was originally sent to the CERT/CC in April 2004 with no action taken. Following consultation with UK NISCC, ProCheckUp have now published the advisory via Security Focus.

Consequences:

A malicious attacker to cause the execution of hostile HTML and script code in the web client of a user who clicks on a link to a site running the vulnerable Ringtail CaseBook program.

Fix:

FTI Ringtail advise clients to upgrade to v2005 to address this and other security issues.

For further details please contact your support partner or FTI Ringtail via support@ringtailsolutions.com.

References:

http://www.procheckup.com/Vulnerabilities.php

Legal:

Copyright 2005 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community
for the purpose of alerting them to problems, if and only if, the Bulletin is not edited
or changed in any way, is attributed to Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
Case Study SC Magazine
Sample Report
Press Releases
 
  Site Map
Privacy Policy
Terms and Conditions
© ProCheckUp Ltd 2008