lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <49160A57.8090300@gmail.com>
Date: Sat, 08 Nov 2008 15:53:27 -0600
From: rholgstad <rholgstad@...il.com>
To: Francesco Bianchino <f.bianchino@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Metrica Service Assurance Multiple Cross Site
 Scripting

post auth xss

*yawn*

Francesco Bianchino wrote:
> Metrica Service Assurance Multiple Cross Site Scripting
>
> ***********************************************************************
>
> Author: Francesco Bianchino
>
> Email: f.bianchino@...il.com
>
> Title: Metrica Service Assurance Multiple Cross Site Scripting
>
> Vendor: IBM
>
> ***********************************************************************
>
> Summary
>
> Metrica Service Assurance Framework implements a distributed,
> object-oriented, J2EE-based architecture. It work with a Web-based
> user interfaces, from end-user report generation to detailed system
> administration and configuration.
>
> ***********************************************************************
>
> Vulnerability Detail
>
> The web-based interface of Metrica Service Assurance is exposed to
> multiple XSS attack. With an authenticated user it's possible to steal
> other user's sessions due to a flaw in the input validation
> mechanisms.
> A persistant XSS permits the insertion of malicious code into the
> web-based interface. Using the report generation function it is
> possible to create a report with malicious code in the name.
> That code is than rendered on the victim's browser when opening the
> report history which can be found in the main panel of the
> application.
> The code also persists into the main panel and all the users are
> exposed to the attack.
>
> There are at least three vulnerable pages:
>
>        Non persistant:
>        * http://server/<document root>/ReportTree
>        * http://server/<document root>/Launch
>
>        Peristant:
>        * http://server/<document root>/ReportRequest
>
> ***********************************************************************
>
> Exploit
>
> http://server/<document
> root>/ReportTree?action=generatedreportresults&elementid="><SCRIPT>alert("Non
> persistant XSS");</SCRIPT><!--&date=0000000000000
>
> http://server/<document root>/Launch?jnlpname=="><SCRIPT>alert("Non
> Persistant XSS");</SCRIPT>
>
> http://server/<document_root>/ReportRequest?dateformat=dd%2FMM%2Fyyyy&reporttitle=some_title&reportID=some_stuff&version=0&treesrc=&treetitle=&p_wstring=&p_dataperiod=none%3A%23%3Araw&startdate=01%2F01%2F2008&reporttype=offline&%3Atasklabel=<SCRIPT>alert(Persistant
> XSS!);</SCRIPT>&none_agg_specified=false&windowtype=main
>
> ***********************************************************************
>
> Solution
>
> At the moment of writing this advisory the is no solution yet.
>
> ***********************************************************************
>
> Credits
>
> Discovered and advised to IBM, November 2008 by Francesco Bianchino.
> Thanks to Marco borza and to da EthicalHAkinTeam.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ