[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1075126063.24049.73.camel@LTSP>
From: che at secunia.com (Carsten H. Eiram)
Subject: Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting
Vulnerability
======================================================================
Secunia Research 26/01/2004
- IBM Net.Data Macro Name Cross-Site Scripting Vulnerability -
======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/
======================================================================
Table of Contents
1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification
======================================================================
1) Affected Software
IBM Net.Data 7 and 7.2.
NOTE: Other versions have not been tested but may also be affected.
======================================================================
2) Severity
Rating: Less critical
Impact: Cross-Site Scripting
Where: From Remote
======================================================================
3) Vendor's Description of Software
"Net.Data, a full-featured and easy to learn scripting language, allows
you to create powerful Web applications. Net.Data can access data from
the most prevalent databases in the industry".
Vendor:
http://www-3.ibm.com/software/data/net.data/
======================================================================
4) Description of Vulnerability
A vulnerability has been identified in IBM Net.Data, which can be
exploited by malicious people to conduct cross-site scripting attacks
against visitors of an affected site.
The vulnerability is caused due to an input validation error in the
db2www CGI component, since the name of a requested macro file is
included in "DTWP001E" error messages without sufficient sanitation.
A malicious person can exploit this by constructing a link, which
includes arbitrary script code. If a user is tricked into clicking
the link or visiting a malicious website, the script code will be
executed in the user's browser session in context of the affected site.
Example:
http://[victim]/cgi-bin/db2www/<script>alert(document.domain)</script>/A
Successful exploitation may result in disclosure of various
information (e.g. cookie-based authentication information)
associated with the site running IBM Net.Data, or inclusion of
malicious content, which the user thinks is part of the real website.
NOTE: Other error messages may also be affected.
======================================================================
5) Solution
The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or
"DTW_DEFAULT_MACRO" feature on zOS and iServer) is used to ensure that a
web site reacts in a predictable manner when encountering problems.
Example:
In the Net.Data configuration file "db2www.ini", insert an entry such
as:
DTW_DEFAULT_ERROR_MESSAGE <PRE>This Web Site is experiencing problems.
Check back later. </PRE>
This will prevent various error messages from being returned to users.
======================================================================
6) Time Table
04/11/2003 - Vulnerability discovered.
04/11/2003 - Vendor notified
07/11/2003 - Vendor confirms receiving vulnerability report. Report will
be forwarded to Net.Data team.
02/12/2003 - Requests status report from contact person.
02/12/2003 - Contact person responds that the Net.Data team will be
contacted.
14/01/2004 - Advisory draft sent to vendor along with set disclosure
date.
14/01/2004 - Contact person replies that the Net.Data team will be
contacted again.
22/01/2004 - Vendor confirms vulnerability and provides solution.
26/01/2004 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://www.secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://www.secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2004-1/
======================================================================
Powered by blists - more mailing lists