Release date: 2011-11-03
Updated on: 2011-11-04
Affected Systems:
RhinoSoft Serv-U WebClient 9.1. 0
RhinoSoft Serv-U Web Client 9.0.0.5
RhinoSoft Serv-U Web Client 11.0.0.3
Unaffected system:
RhinoSoft Serv-U Web Client 11.0.0.4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50503
Serv-U contains a simple browser-based transmission client.
The Serv-U Web Client has a cross-site scripting vulnerability. Some unspecified inputs sent to the Web Client are not properly filtered before being returned to the user, attackers can exploit this vulnerability to execute arbitrary HTML and script code in the browser of the affected site to steal cookie authentication creden.
<* Source: vendor
Link: http://www.serv-u.com/Browser-Transfer-Client.asp
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
RhinoSoft
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.rhinosoft.com/