server/side script
Description:
Blue Coat SG400 is vulnerable to a couple of XSS holes.
Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_action/crl_format' / 'name'
Vulnerable server-side script / unfiltered parameter: '/Secure/Local/console/install_upload_from_file.htm' / 'file'
Notes:
PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script
Date Found: 19th June 2007
Successfully tested on: version 5.5.2
F5 Networks has confirmed the following versions to be vulnerable:
FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1
More Details
============
1. Full Path Disclosure
-----------------------------------
allow attackers to gather the real path of the server side script.
Proof of concept:
http://www.[xxxxx].com/path/index.php?page=new_topic&index=1&id=union
error
__________________________________________________________________
On Fri, Nov 30, 2007 at 12:50 PM, <research@procheckup.com> wrote:
PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script
Date Found: 19th June 2007
PR07-15: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.logon.php3' server-side script
Date Found: 19th June 2007
Successfully tested on: version 5.5.2
F5 Networks has confirmed the following versions to be vulnerable:
FirePass versions 5.4.1 - 5.5.2
FirePass versions 6.0 - 6.0.1
Public disclosure: 03/2008
PART I - COMPROMISING USER’S ACCOUNT
Explanation:
When user already has session and he/she clicks on that link (from email), the exploit code will be automatically executed. User’s email address is changed without his/her notice. At the same time, his/her current email address, first and last name, and current encrypted password (in User Information page) is logged by a remote server side script.
The attacker reads all these information in a log file.
After that, he gets a new user password sent to his email address by using Lost Password form.
With victim’s username and password, the attacker has full permission on that account and does whatever he wants.
Upon finishing his works, he changes back user’s initial email address and encrypted password.
NO authentication is required to exploit this vulnerability.
XSS on login page:
DPSnet Case Progress is vulnerable to a vanilla XSS within the
"password" parameter processed by the login server-side script. The
victim user does NOT need to be authenticated for this vulnerability to
be exploitable.
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to DPSnet Case Progress.
Description:
Commonspot server is vulnerable to a vanilla XSS
Vulnerable server-side script: 'commonspot/utilities/longproc.cfm'
Unfiltered parameter: 'arbitrary'
Notes:
Vendor informed: 26th June 2007
Description:
Liferay Portal login page is vulnerable to
Cross-Site Scripting within the "login" field processed by the "/c/portal/login" server-side script.
Consequences:
An attacker may be able to cause the execution of malicious script code in the browser of a user who visits a specially-crafted Liferay Portal URL, or visits a page that submits a request to such URL. Such code would run within the security context of the target domain.
FirePass versions 5.4 - 5.5.2
FirePass versions 6.0 - 6.0.1
Description:
F5 Networks FirePass 4100 SSL VPN is vulnerable to XSS within the "backurl" parameter processed by the "download_plugin.php3" server-side script.
No authentication is required to exploit this vulnerability.
Consequences:
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'
Unfiltered parameter: 'postdata'
Notes:
'http://' and 'https://', is NOT filtered for other protocols such as
FTP or Gopher. An attacker could upload a spoof login page to a FTP
server that allows anonymous connections where the victim would be
redirected.
Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'
Unfiltered parameter: 'url'
Note: the redirect will only take place in browsers which consider URLs
with only one slash after the colon symbol ':' as valid when performing
An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a PGP Universal Web Messenger specially-crafted URL is visited.
Vulnerable server-side script: '/b/lnj.e?'
Unfiltered parameter: 'retryURL'
Proof of concept
Example of specially-crafted URL:
NVD NIST: CVE-2007-4872
OSVDB: ID requested but no answer received
Summary:
SimpNews is a news system written in PHP.
Security problems in the product allow attackers to gather the true path of the server-side script.
Advisory URL:
http://www.netvigilance.com/advisory0068
Release Date:
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'
Unfiltered parameter: 'postdata'
Notes:
that, when placed on a web page can "push" a print job from a file or
web server to a user's local printer without having to display the HTML
equivalent to that user. By placing WePO code on a web page, you can
provide a method whereby the viewer of that web page can request a local
print of a host resident print job, archived print job or a report
stream through a server-side script request.
Anzio Web Print Object is vulnerable to a buffer overflow attack, which
can be exploited by remote attackers to execute arbitrary code, by
providing a malicious web page with a long "mainurl" parameter for the
WePO ActiveX component.
Description:
Sun Java System Identity Manager is vulnerable to *unauthenticated* file
retrieval a.k.a. directory traversal within the "ext" parameter
processed by the "/idm/includes/helpServer.jsp" server-side script.
Consequences:
Any files can be retrieved from the target server provided that the
NVD NIST: ID requested but no answer received
OSVDB: ID requested but no answer received
Summary:
SimpGB is a guestbook with data stored in MySQL, administration interface and support for multiple languages.
Security problems in the product allow attackers to gather the true path of the server-side script.
Advisory URL:
http://www.netvigilance.com/advisory0064
Release Date:
Description:
Juniper Networks Secure Access 2000 is vulnerable to a vanilla XSS.
Vulnerable server-side script: '/dana-na/auth/rdremediate.cgi'
Unfiltered parameter: 'delivery_mode'
Successfully tested on: Juniper Networks Secure Access 2000 (SA-2000)
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'
Unfiltered parameter: 'postdata'
Notes:
NVD NIST: CVE-2007-4861
OSVDB: Unassigned
Summary:
SAXON is a simple accessible online news publishing system for personal and small corporate site owners.
Security problems in the product allow attackers to gather the true path of the server-side script.
Advisory URL:
http://www.netvigilance.com/advisory0053
Release Date:
Description:
BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are
vulnerable to a XSS vulnerability affecting the 'name' parameter which
is submitted to the '/portal/server.pt' server-side script.
Date found: 12th September 2006
Vendor contacted: 18th May 2007
Vendor informed: 4th July 2007
Successfully tested on: Absolute Poll Manager XE - Version 4.1. Earlier versions are possibly affected as well but have NOT been tested.
Description: Absolute Poll Manager XE is vulnerable to a vanilla XSS within the "/AbsolutePollManager/xlaapmview.asp" server-side script and "msg" parameter.
No authentication is required to exploit this vulnerability
Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a polls management user who clicks on a link to a site managed by Absolute Poll Manager. Such code would run within the context of the target domain.
Description:
RSA Authentication Agent is vulnerable to a vanilla XSS on the login page.
Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'
Unfiltered parameter: 'postdata'
Notes:
'http://' and 'https://', is NOT filtered for other protocols such as
FTP or Gopher. An attacker could upload a spoof login page to a FTP
server that allows anonymous connections where the victim would be
redirected.
Vulnerable server-side script: '/WebID/IISWebAgentIF.dll'
Unfiltered parameter: 'url'
Note: the redirect will only take place in browsers which consider URLs
with only one slash after the colon symbol ':' as valid when performing
Novell GroupWise WebAcces is vulnerable to a vanilla XSS
(non-persistent) via POST requests. Although filtering takes place for
GET requests, POST requests are ignored.
Vulnerable server-side script: '/gw/webacc',
Unfiltered parameter: 'User.id', 'Library.queryText'
Proof of concept:
credentials "Monitor:bigpond1". These credentials are hard-coded, and cannot
be changed by a normal user.
b) Command-injection vulnerability
The "ping.cgi" web page is subject to a command-injection vulnerability, as
the server-side script does not properly validate user-supplied input.
The following URL exploits this issue, executing the "ls /" command:
http://<device IP address>/ping.cgi?DIA_IPADDRESS=;%20cat%20/etc/passwd
[REMEDIATION]
|
