Hello, Just read this: http://online.securityfocus.com/archive/1/259015
Summary: "Exist three vulnerabilities: a) Cross Site Scripting. b) Traversal vulnerabilities. c) Denial Of Service.(Exploit Released) Cobalt's service.cgi incorrectly handles the incoming search parses, incoming HTML tags or JavaScript will be included inside the result without them being filtered out for dangerous content. A similar problem occurs with the x.cgi's inclusion of malicious code inside the resulting title search." I've done some work looking into this and the exploit doesn't seem to do anything on my test RaQ4 and it seems that you need a valid username/password to use the CSS and traversal vulns. The travsersal vuln. doesn't look as bad as reported because you don't seem to be able to go above /usr/admserv/html/ and since the cobalt scripts don't use cookies, I'm not sure I understand how the CSS vuln is significanlty dangerous. So, on the face of it is seems quite worrying, but I've not been able to identify anything significant in my testing. Regards, Jonathan Michaelson _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
