Project Woodstock 404 Error Page UTF-7 Encoded XSS

This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.

Synopsis :

The remote web server is running a web application that is affected by
a cross-site scripting vulnerability.

Description :

The remote web server contains a web application built using Woodstock
components, which are user interface components for the web- based on
Java Server Faces and AJAX. Woodstock is part of Sun Glassfish
Enterprise Server and can also be used with other Java web containers,
such as JBoss, Tomcat, and WebLogic.

The version of Woodstock in use fails to properly sanitize user-
supplied URI data when generating 404 error page. By sending UTF-7
encoded URIs to the affected application, an attacker could launch
cross-site scripting attacks.

Note that this attack only works if the victim configures their
browser to auto-detect encoding, and the browser recognizes UTF-7.

See also :

Solution :

Download the latest Woodstock sources from CVS.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.7
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 38733 ()

Bugtraq ID: 34829

CVE ID: CVE-2009-1554

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now