Pentest Security Advisory : PTL-2002-03
XSS bug in Betsie

Advisory Details

Author: Mark Rowe
Announcement Date: 1st July 2002
Reference: ptl-2002-03
Product: Betsie
Vulnerable versions: 1.5.11 and all versions before
Vulnerability Type : Input Validation Error
Platforms: All
Vendor-URL: http://www.bbc.co.uk/education/betsie/
Vendor-Status: informed, new version available
Remote-Exploit: Yes

Overview:

A Cross-site Scripting vulnerability exists in the Betsie application. The developer has been notified and a fixed version has been released.

Description:

Betsie stands for BBC Education Text to Speech Internet Enhancer, and is a simple Perl script which is intended to alleviate some of the problems experienced by people using text to speech systems for web browsing.

The Betsie perl script does not adequately validate and filter URL input making it vulnerable to Cross-site Scripting attacks.

Cross-site Scripting example: http://server/cgi-bin/betsie/parserl.pl/nastyscript

For more details about XSS vulnerabilities see https://www.owasp.org/index.php/XSS

Fix:

The vendor has released a new version of the script 1.5.12, which seems to fix the bug.

Vendor status:

Vendor has released a new version. See http://www.bbc.co.uk/education/betsie/download.html

Thanks:

Thankyou to Wayne Myers for responding so quickly to our notification and promptly releasing a fix.

Credit:

Discovered on 24 June, 2002 by Mark Rowe

arrow morePTL-2002-04

PTL-2002-02arrow more

Security Services

Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

read more arrow more

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2016 All Rights Reserved. Privacy statement