Application: SnapStream PVS
Vendor : http://www.snapstream.com
Versions: LITE
Platforms: Windows/Unix
Bug: Cross Site Scripting Vulnerabillity
Risk: Low
Exploitation: Remote with browser
Date: 6 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
1) Introduction
2) Bug
3) The Code
1) Introduction
SnapStream PVS is a Personal Video Station software. It allows the user to
schedule recordings and playing of Tv shows using video tapes and cable TV.
2) Bug
When the webserver hosting SnapStream PVS LITE recieves a
'GET /?' its ignores it, the data gets filtered
as it should.
But when it recieves a 'GET /?">' the filters
are bypassed
and XSS appears and the server allows an attacker to inject & execute
3) The Code
Rafel Ivgi, The-Insider
"Things that are unlikeable, are NOT impossible."