Cross-site scripting vulnerability in DHT shell of Overlay Weaver

[English | Japanese]
last-updated: March 30, 2007


DHT shell with -x option (owdhtshell -x command) of versions of Overlay Weaver are vulnerable to a cross-site scripting attack.


Overlay Weaver versions from 0.5.9 to 0.5.11 has a cross-site scripting vulnerability. If a DHT shell is invoked with -x option, it presents a web page with node information and input forms to accept put, get and remove operations on a DHT. In that case, the DHT shell is vulnerable to a cross-site scripting attack.


The victim will be presented with information which the DHT shell did not wish their visitors to be subjected. This could be used to "sniff" sensitive data from within web pages served by a web server running on the same host on which DHT shell running.


This issue is resolved in Overlay Weaver 0.6. Use the version or later. Or, do not specify -x option to owdhtshell command if you use versions from 0.5.9 to 0.5.11.

JP Vendor Status Notes (JVN): JVN#62399483: Cross-site scripting vulnerability in Overlay Weaver (in Japanese)
Information-technology Promotion Agency (IPA): JVN#62399483: Cross-site scripting vulnerability in "Overlay Weaver" (in Japanese)


Our thanks to Yoshiyuki Sukedai, who discovered and reported this instance of the cross-site scripting vulnerability.

Other Information

Date First PublishedMarch 29, 2007
Data UpdatedMarch 30, 2007

Return to News page