lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1075126063.24049.73.camel@LTSP>
From: che at secunia.com (Carsten H. Eiram)
Subject: Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting
 Vulnerability

====================================================================== 

                     Secunia Research 26/01/2004 

   - IBM Net.Data Macro Name Cross-Site Scripting Vulnerability - 

====================================================================== 
Receive Secunia Security Advisories for free: 
http://www.secunia.com/secunia_security_advisories/ 

====================================================================== 
Table of Contents
 
1....................................................Affected Software 
2.............................................................Severity 
3.....................................Vendor's Description of Software 
4.........................................Description of Vulnerability 
5.............................................................Solution 
6...........................................................Time Table 
7..............................................................Credits 
8........................................................About Secunia 
9.........................................................Verification 

====================================================================== 
1) Affected Software 

IBM Net.Data 7 and 7.2. 

NOTE: Other versions have not been tested but may also be affected. 

====================================================================== 
2) Severity 

Rating:  Less critical 
Impact:  Cross-Site Scripting 
Where:   From Remote 

====================================================================== 
3) Vendor's Description of Software 

"Net.Data, a full-featured and easy to learn scripting language, allows
you to create powerful Web applications. Net.Data can access data from
the most prevalent databases in the industry". 

Vendor: 
http://www-3.ibm.com/software/data/net.data/

====================================================================== 
4) Description of Vulnerability 

A vulnerability has been identified in IBM Net.Data, which can be
exploited by malicious people to conduct cross-site scripting attacks
against visitors of an affected site. 

The vulnerability is caused due to an input validation error in the
db2www CGI component, since the name of a requested macro file is
included in "DTWP001E" error messages without sufficient sanitation. 

A malicious person can exploit this by constructing a link, which
includes arbitrary script code. If a user is tricked into clicking 
the link or visiting a malicious website, the script code will be 
executed in the user's browser session in context of the affected site. 

Example:
http://[victim]/cgi-bin/db2www/<script>alert(document.domain)</script>/A

Successful exploitation may result in disclosure of various 
information (e.g. cookie-based authentication information) 
associated with the site running IBM Net.Data, or inclusion of 
malicious content, which the user thinks is part of the real website. 

NOTE: Other error messages may also be affected. 

====================================================================== 
5) Solution 

The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or
"DTW_DEFAULT_MACRO" feature on zOS and iServer) is used to ensure that a
web site reacts in a predictable manner when encountering problems. 

Example: 
In the Net.Data configuration file "db2www.ini", insert an entry such
as: 

DTW_DEFAULT_ERROR_MESSAGE <PRE>This Web Site is experiencing problems.
Check back later. </PRE> 

This will prevent various error messages from being returned to users. 

====================================================================== 
6) Time Table 

04/11/2003 - Vulnerability discovered. 
04/11/2003 - Vendor notified 
07/11/2003 - Vendor confirms receiving vulnerability report. Report will
be forwarded to Net.Data team. 
02/12/2003 - Requests status report from contact person. 
02/12/2003 - Contact person responds that the Net.Data team will be
contacted. 
14/01/2004 - Advisory draft sent to vendor along with set disclosure
date. 
14/01/2004 - Contact person replies that the Net.Data team will be
contacted again. 
22/01/2004 - Vendor confirms vulnerability and provides solution. 
26/01/2004 - Public disclosure. 

====================================================================== 
7) Credits 

Discovered by Carsten Eiram, Secunia Research. 

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://www.secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website: 
http://www.secunia.com/secunia_research/2004-1/ 
======================================================================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ