Secunia

Multiple vulnerabilities have been reported in Gattaca Server 2003, which can be exploited to conduct Cross-Site Scripting attacks, access arbitrary files and cause a DoS (Denial of Service).

It is possible to view directory contect by sending a specially crafted HTTP request where an extra "/" character has been appended to the end of the HTTP request for a directory.

Example:
http://[victim]//

Supplying an overly long argument (1048 characters or more) to the "LLIST" command in the Gattaca console can be exploited to crash the server.

An input validation error in "view.tmpl" can be exploited to access arbitrary files on the system with the privileges of Gattaca via a classic directory traversal attack.

Example:
http://[victim]/view.tmpl?testfile=../../winnt/win.ini

An input validation error in "view2.tmpl" can be exploited to conduct Cross-Site Scripting attacks against visitors. This can be exploited to gain knowledge of sensitive information (e.g. cookie-based authentication information) associated with the site running Gattaca Server 2003, or inclusion of malicious content, which the user thinks is part of the real website.

However, successful exploitation requires that a user is tricked into visiting a malicious web site or clicking a malicious link.

Example:
http://[victim]/view2.tmpl?text=<script>alert(document.cookie)</script>

The vulnerabilities have been reported in version 1.0.8.1. However, prior versions may also be affected.

Solution
The vendor will reportedly fix the vulnerabilities in the next release (except the Cross-Site Scripting issue, which the vendor doesn't regard as a vulnerability):
Further details available in Customer Area

Provided and/or discovered by
Gregory Le Bras

Original Advisory
http://www.security-corporation.com/advisories-019.html

Deep Links
Links available in Customer Area