lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 02 Dec 2006 19:53:45 +0100
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugtraq@...urityfocus.com
Subject: [ISecAuditors Advisories] BlueSocket web administration is vulnerable
 to XSS

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-007
- Original release date: April 27, 2006
- Last revised: December 1, 2006
- Discovered by: Jesus Olmos Gonzalez
- Severity: 2/5
=============================================

I. VULNERABILITY
-------------------------
The BlueSocket web administration is vulnerable to a Cross Site
Scripting attack.

II. BACKGROUND
-------------------------
BSC 2100 product is included in the Blue Secure Family
(www.bluesocket.com)

BlueSecure Controllers provide high-performance, reliable,
policy-based WLAN security and management solutions that have been
deployed by hundreds of large institutions, enterprises, and public
access providers.

III. DESCRIPTION
-------------------------
The admin.pl perl code don't sanitize the imputs and then wen it tries
to rewrite the username at the input, html + script code could be
rewrited and executed by the browser.

This crossite is in the administration of the security product, it has
been tested only in BSC 2100.

Is it possible to send a fake email to the admin spoofing the product
address, saying that the configuration is not ok and sending the
special link.

If the admin press the link and validate in aparently normal
interface, his credentials will be sended to the attacker.

If this is done with a good social engineering will be a great risk.

IV. PROOF OF CONCEPT
-------------------------
This POC will inject some html to modify the look and feel of the
authentication, and attacker could inject script code to send
credentials to him.

https://somehost.somedomain.org/admin.pl?ad_name=%22%3E%3Ch1%3EXSS%20BUG%3C/h1%3E%3C!--

V. BUSINESS IMPACT
-------------------------
Credentials could be stolen due social engineering attacks.

VI. SYSTEMS AFFECTED
-------------------------
Versions prior 5.2 or without 5.1.1-BluePatch

VII. SOLUTION
-------------------------
Update to 5.2 version or apply 5.1.1-BluePatch

VIII. REFERENCES
-------------------------
Vulnerability item number 4484 in the Bluepatch V6 for 5.1.1.1 Release
Notes.

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
April     27, 2006: Initial vendor contact.
April     28, 2006: Vendor updates its near patch.
June      21, 2006: Publication of the patch.
September 16, 2006: Vendor confirms inclusion in referenced patch.
September 17, 2006: Advisory revised.

XI. DISCLOSURE TIMELINE
-------------------------
April     26, 2006: The vulnerability discovered by
                    Internet Security Auditors.
December   1, 2006: Advisory finally Published

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ