lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0407011203140.19413@fsj.fqfubzr.arg>
From: vuln at hexview.com (vuln@...view.com)
Subject: [HW-MED] XSS in Netegrity IdentityMinder

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cross-Site Scripting (XSS) Vulnerability in Netegrity IdentityMinder

Classification:
===============
Level: low-[MED]-high-crit
ID: HEXVIEW*2004*07*02*1

Overview:
=========
IdentityMinder is an identity and role management product developed by
Netegrity (http://www.netegrity.com), a microsoft gold-certified
identity and access management partner. Both primary and management web
interfaces are vulnerable to classic cross-site scripting (XSS) attacks.

Affected products:
==================
All tests were performed using Netegrity IdentityMinder Web Edition 5.6 SP2
for Windows, IIS Server, and Netegrity Policy Server V5.5. Possibly all other
IdentityMinder releases are vulnerable.

Cause and Effect:
=================
Although IdentityMinder product employs URL filtering capabilities that
disallow using common XSS characters in the URL, it is possible to
submit the URL string containing any character using zero-byte string
poisoning method. The part of the URL after %00 character is not checked
against XSS characters. Management interface is also vulnerable to XSS
and does not even require zero-byte poisoning.
The vulnerability makes possible to execute scripts in the context of webpage
with current IdentityMinder user privileges. It can be used to steal page data,
and/or to perform ItentityMinder tasks with the privileges of logged-in user.

Demonstration:
==============
The problem can be reproduced by entering following the link below (split over
several lines for readability). The example link is form action link from
ViewGroup search dialog. Please note that you need to replace PUT_*_HERE's
with your actual variables.

http://PUT_ADDRESS_HERE/idm/PUT_SITE_NAME_HERE/ims_mainconsole_principalpopuphandler.do?
searchAttrs0=%25GROUP_NAME%25&searchOperators0=EQUALS&searchFilter0=
&searchOrgDN=PUT_DN_HERE&incChildrenOrgFlag=NO&resultsPerPage=10&oid=
&imsui_taskstate=RESOLVE_SCOPE&imsui_tpnametosearch=group
&numOfExpressions=1%00<script>alert(document.cookie)</script>

Here is another link demonstrating the problem in IdentityMinder management
interface. Note that %00 poisoning is not required.

http://PUT_ADDRESS_HERE:7001/idmmanage/mobjattr.do?diroid=PUT_OID_HERE
&attrname=Group%20Members&mobjtype=2<script>alert(document.cookie)</script>

Distribution:
=============
This document may be freely distributed anywhere as long as the contents are
kept unmodified.

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vuln@...view.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA5GAsDPV1+KQrDqQRAhBrAKCJoi0L1+UiOYjsdlSHSv3AiQk36ACeNjMq
VLpqdNUuC3KcNoHcxn7iatU=
=v2m2
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ