CVE-2008-4168

Vulnerability

A cross-site scripting (XSS) vulnerability exists in verify_login.jsp in Pro2col Stingray FTS. The form_username parameter (i.e., the user name field) is not sanitized before being reflected in the login page, allowing arbitrary HTML and script injection. The login page itself (/login.jsp) is unauthenticated, so the attack surface is publicly accessible. Affected versions are not explicitly listed in the reference, but the advisory is from 2008 and likely affects all releases up to that point.

Exploitation

The attacker can inject malicious web script or HTML into the form_username parameter via a crafted URL or by submitting a specially crafted form. No authentication is required to reach the login page. The user interaction required is the victim visiting the maliciously crafted login page; the injected script executes in the context of the victim's browser session on the affected server.

Impact

Successful exploitation allows an attacker to execute arbitrary script or HTML in the victim's browser within the security context of the Stingray FTS application. This could lead to session hijacking, credential theft, or defacement of the login page. Since the login page is unauthenticated, the attacker can target any user or administrator who visits the malicious link. The scope of compromise is bounded by the browser's same-origin policy, but the attacker gains full access to the victim's interaction with the application.

Mitigation

The reference [1] does not provide information about a patched version or a release date for a fix. As of the advisory publication date (September 2008), no vendor-supplied mitigation was documented in the available sources. Administrators should contact Pro2col directly for updated versions or apply generic XSS mitigation such as input encoding on the server side for the form_username parameter.