Sun Solaris AnswerBook2 is reported prone to multiple cross-site scripting vulnerabilities because the software fails to properly sanitize user-supplied data. Exploits will allow arbitrary HTML and script code to run in a victim's browser, allowing the attacker to steal cookie-based credentials and launch other attacks. The Search function and the AnswerBook2 admin interface are affected. AnswerBook2 1.4.4 and prior versions are vulnerable. Bugtraq ID: 12746 Class: Input Validation Error CVE: CVE-2005-0548 CVE-2005-0549 Remote: Yes Local: No Published: Mar 07 2005 12:00AM Updated: Dec 11 2009 03:44PM Credit: Discovery is credited to Thomas Liam Romanis. Vulnerable: Sun AnswerBook2 1.4.4 Sun AnswerBook2 1.4.3 Sun AnswerBook2 1.4.2 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 8_x86 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6 - Sun Solaris 2.6 - Sun Solaris 2.6 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.3 - Sun Solaris 2.3 - Sun Solaris 2.3 Sun AnswerBook2 1.4.1 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 8_x86 - Sun Solaris 8_x86 - Sun Solaris 8_x86 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.3 - Sun Solaris 2.3 - Sun Solaris 2.3 Sun AnswerBook2 1.4 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 8_x86 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6 - Sun Solaris 2.6 - Sun Solaris 2.6 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.3 - Sun Solaris 2.3 - Sun Solaris 2.3 Sun AnswerBook2 1.3 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _x86 - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 _ppc - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 2.5.1 - Sun Solaris 8_x86 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 8 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0_x86 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 7.0 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6_x86 - Sun Solaris 2.6 - Sun Solaris 2.6 - Sun Solaris 2.6 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5_x86 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.5 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4_x86 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.4 - Sun Solaris 2.3 - Sun Solaris 2.3 - Sun Solaris 2.3 Sun AnswerBook2 1.2 + Sun Solaris 8_x86 + Sun Solaris 8 + Sun Solaris 7.0_x86 + Sun Solaris 7.0 + Sun Solaris 2.6_x86 + Sun Solaris 2.6_sparc + Sun Solaris 2.6 The following proofs of concept are available: For the cross-site scripting issue in the Answerbook2 search function: http://www.example.com/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22% 29%3C%2Fscript%3E&Search=+Search+ For the admin interface 'View Log Files' function: http://www.example.com/ab2/@Ab2Admin?command=view_access