lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <005501c38a65$03067270$050010ac@rootserver>
Date: Sat, 4 Oct 2003 12:46:17 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@...g-security.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Subject: Cobalt RaQ Control Panel Cross Site Scripting


Cobalt RaQ Control Panel Cross Site Scripting
------
PRODUCT: Cobalt RaQ Web Control Panel
VENDOR: Sun - Cobal Networks
VULNERABLE VERSIONS:

       - Sun Cobalt RaQ Servers Web Control Panel (T.I.N.P)
       - Tested in a default configurated Sun Cobalt RaQ server. control
panel
       - Sun Cobalt servers using the web based control panel(T.I.N.P)
       - Sun Cobalt RaQ 550 Server Appliance

---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:

Sun Cobalt RaQ 550 server appliance integrates the hardware, software,
database and development tools needed to deploy applications extremely
quickly without any prior server experience.

---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------

I found XSS vulnerabilities in the web based Control Panel of
Cobalt RaQ Servers , with this hole you can try to get the target
user information trough the cgi script called message.cgi by
including script code in the info= variable value.
The script is used for the output of system and control messages like
help messages ( "hints" of rollovers for help the user about things of the
control panel ) .
In addition the ssl support is not enabled for the control panel of users.
Cobalt Servers are possible affected by the last security hole found in
OpenSSL.

---------
|  XSS  |
---------

Using the following encoded script:

  %3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E

And accessing a vulnerable control panel of a Cobalt RaQ server pointing
this address:

HTTP://[HOST NAME / DOMAIN]:[PORT:
81 ]/cgi-bin/.cobalt/message/message.cgi?info=[SCRIPT / XSS CODE]

A working demo of this can be :

http://w-0.h2oformum.foo:81/cgi-bin/.cobalt/message/message.cgi?info=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E

This will include the %3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E code
in the output and
when the web browser executes it you get a message box:

----JavaScript Application----
|           XSS !            |
------------------------------

Thats all , simple and fast but Control Panel doesn't use cookies for keep
the passwords ,
this can be used for get the domain cookies if it is used by other
applications,although
it is a security hole because it demonstrates that the message.cgi script
does not have
an input validation system.

---------------------------------
| SSL SUPPORT NOT PRESENT IN CP |
---------------------------------

I observed that the ssl support is not enabled for the web server running
the control panel
( default webserver of cobalt raq control panel )
but the banner is this:

Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25

You can try to access but you get nothing ( error connecting ).
Yhis is a problem because it uses basic auth and if some body get this:

GET /.cobalt/siteManage/www.blah.com/ HTTP/1.1
Host: tobeornottobeavulnerablehost.foo:81
User-Agent: Mozilla/5.0 Mozilla Firebird/0.6.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Basic dGVzdDp0ZXN0

HTTP/1.x 200 OK
Date: Fri, 03 Oct 2003 13:37:54 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25
Keep-Alive: timeout=300
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Look at Authorization: Basic dGVzdDp0ZXN0 , it is base64 encoded , decoded
value is:

test:test


------------------------------
| LAST OPENSSL SECURITY HOLE |
------------------------------

I think that the version that i checked is affected by the last OpenSSL secu
rity hole.
I haven't tested this but the OpenSSL version is included in the vulnerable
versions range.

-----------------
| VENDOR STATUS |
-----------------
10 October 2003
~~~~
Ok -> Warned / Contacted
~~~~
Mails sent to security-alert@....com .

-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
---       Security Consultant           ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
D185 3555 8ECD 3921 6B21  ACC6 CEBB 2826 4B4C 283E
ID: 0x4B4C283E
Size: 4096
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://www.nsrg-security.com
______________________




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ