BASE - 3 Persistent Cross Site Scripting Vulnerabilities

[Jabra <jasbro7 () gmail com>]

BASE, a well known Snort Frontend has 3 Persistent Cross Site Scripting
Vulnerabilities.

For those who don't know, Cross-Site Scripting allows the attacker to inject
Javascript to modify the functionality of the webpages. Since this
vulnerability exists in BASE, this allows an attacker to drop alerts(all of
them or specific alerts), modify user information including passwords,
modify the configuration of BASE and many other tasks. The only limitation
is the attacker's creativity.

The vulnerabilities exist in pages that use the information from 3 different
components of BASE including: alert groups, roles and user information.

For creating a user, the name field was found to be vulnerable. For the name
field, I just injected Javascript and it was rendered!

For creating an alert group, we just need to include a closure for the html
by using "> and add our Javascript afterwards. This causes the page that
loads the name, to close the html and execute our Javascript! This is due to
html encoding being used on the page.

For creating a role, both the name and the description field were
vulnerable. The name field was limited to a specific number of characters.
To verify I just injected XSS and verified it rendered properly. The
description field was just straight Javascript.


Screenshots can be found at:

http://www.spl0it.org/blog/index.php?entry=entry090530-212022

Regards,
Jabra

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/