Fw: Re: Centrinity FirstClass HTTP Server Cross Site Scripting

["Richard Maudsley" <r.i.c.h () btopenworld com>]

-- Original message --
From: "FirstClass Mail Tech" <mailtech () firstclass com>
To: "Richard Maudsley" <r.i.c.h () btopenworld com>
Date: 
Subject: Re: Centrinity FirstClass HTTP Server Cross Site Scripting
---------------------------
Hello Richard,

Sorry if you get this twice.   This is a response directly from our
Engineering department.

> Description: Injected code is rendered in the context of the vulnerable
> page.
>
> Exploit:
> http://[TARGET]/.Templates/Commands/Upload.shtml?TargetName=<script>alert('X
> SS')</script>
>
> It may be possible to steal cookies from users who are logged into the
> system.
"This is a bug, although not quite as serious as the author might think. 
Basically the cookie contains no actual decodable data (like password,
userID, etc.), it is short lived (duration of session), and it is usually IP
address sensitive (config dependant). To quote my expert:

It does, though (like most such vulnerabilities) it would require a fair
amount of human engineering to exploit.  What this would allow is for
someone
to acquire a user's login cookie.  The user would have to be logged in on
the
web and click on a malicious URL (possibly in a message), which would allow
a
user to harvest their current login cookie.  It won't be useful if the
"don't
allow sessions to switch IP address" checkbox is on in the advanced web &
FTP
form, or if the user logs out (or times out) before the harvester can use
the
cookie (typically, a matter of minutes).  Overall I would rate this as a
"low" vulnerability.
...
If a given customer needs immediate relief, have them edit their
Upload.shtml
file and find and remove the following bit of code (its a small file, so it
isn't hard to find):

<!--#if expr="<X-FC-URL-PARAMETER TargetName EXISTS>"--><X-FC-URL-PARAMETER
TargetName>&nbsp;<!--#endif-->

> It is likely that other pages are also vulnerable.
The only other pages are some error pages which can be similarly modified."

Thank you, 

FirstClass Mail Tech
Open Text, FirstClass Messaging Division
"Email, fax, voice-mail, calendaring, conferencing....get to your
information
from any device, anywhere, anytime."
Come and see our new FirstClass Support website:
http://www.firstclass.com/support/
-- End of message --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html