lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 28 Mar 2005 19:04:52 -0000
From: B00B00 <ptt@...nternet.com>
To: bugtraq@...urityfocus.com
Subject: Multiple XSS issues in Sun AnswerBook2




PTT SECURITY ADVISORY
DATE: 08-02-2005
AUTHOR: THOMAS LIAM ROMANIS
CURRENT EMPLOYER: Echelon Ltd
VENDOR: Sun
PRODUCT: Sun AnswerBook2
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].

Summary.

A number of issues have been identified in Sun Answerbook2. The first is AN xss issue in the Sun Answerbook2 Search function and the other is an attack vector issue in the administrative function for viewing Access and Error log files.

Detail.

1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
This issue could be used for misinformation purposes but probably little else. As a result the impact of this issue is likely to be low. 

http://192.168.197.91:8888/ab2/Help_C/@...HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+

It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. In this case, depending on the function of the server, a more serious exposure could result. 

2. Administration Attack Vector issue.[CAN-2005-0549]
When the Answerbook2 administrator opts to view the Access log file ( /var/log/ab2/logs/access-8888.log) or Error log file ( /var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain text. As a result a number of different methods could be used to launch attacks against the Answerbook2 administrator. For example, If an XSS attempt has been made on another part of the application, even if it was not immediately successful, it will execute during the display of the Access or Error log files. Thus attacks could be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who may have escalated privileges on the host operating system.

http://192.168.197.91:8888/ab2/@...Admin?command=view_access

Remedial Action.

The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release Notes list the feature 

removal here: 

http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view

Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other currently supported 

releases of Solaris and they are impacted by this issue. Sun isn't planning on producing further patches for 

the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends disabling AnswerBook2 and 

using other sources of documentation, namely the Solaris Documentation CD and online formats at 

http://docs.sun.com.

The Alert Released by Sun can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ