Vulnwatch mailing list archives
Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability
From: "Carsten H. Eiram" <che () secunia com>
Date: 26 Jan 2004 15:07:43 +0100
====================================================================== Secunia Research 26/01/2004 - IBM Net.Data Macro Name Cross-Site Scripting Vulnerability - ====================================================================== Receive Secunia Security Advisories for free: http://www.secunia.com/secunia_security_advisories/ ====================================================================== Table of Contents 1....................................................Affected Software 2.............................................................Severity 3.....................................Vendor's Description of Software 4.........................................Description of Vulnerability 5.............................................................Solution 6...........................................................Time Table 7..............................................................Credits 8........................................................About Secunia 9.........................................................Verification ====================================================================== 1) Affected Software IBM Net.Data 7 and 7.2. NOTE: Other versions have not been tested but may also be affected. ====================================================================== 2) Severity Rating: Less critical Impact: Cross-Site Scripting Where: From Remote ====================================================================== 3) Vendor's Description of Software "Net.Data, a full-featured and easy to learn scripting language, allows you to create powerful Web applications. Net.Data can access data from the most prevalent databases in the industry". Vendor: http://www-3.ibm.com/software/data/net.data/ ====================================================================== 4) Description of Vulnerability A vulnerability has been identified in IBM Net.Data, which can be exploited by malicious people to conduct cross-site scripting attacks against visitors of an affected site. The vulnerability is caused due to an input validation error in the db2www CGI component, since the name of a requested macro file is included in "DTWP001E" error messages without sufficient sanitation. A malicious person can exploit this by constructing a link, which includes arbitrary script code. If a user is tricked into clicking the link or visiting a malicious website, the script code will be executed in the user's browser session in context of the affected site. Example: http://[victim]/cgi-bin/db2www/<script>alert(document.domain)</script>/A Successful exploitation may result in disclosure of various information (e.g. cookie-based authentication information) associated with the site running IBM Net.Data, or inclusion of malicious content, which the user thinks is part of the real website. NOTE: Other error messages may also be affected. ====================================================================== 5) Solution The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or "DTW_DEFAULT_MACRO" feature on zOS and iServer) is used to ensure that a web site reacts in a predictable manner when encountering problems. Example: In the Net.Data configuration file "db2www.ini", insert an entry such as: DTW_DEFAULT_ERROR_MESSAGE <PRE>This Web Site is experiencing problems. Check back later. </PRE> This will prevent various error messages from being returned to users. ====================================================================== 6) Time Table 04/11/2003 - Vulnerability discovered. 04/11/2003 - Vendor notified 07/11/2003 - Vendor confirms receiving vulnerability report. Report will be forwarded to Net.Data team. 02/12/2003 - Requests status report from contact person. 02/12/2003 - Contact person responds that the Net.Data team will be contacted. 14/01/2004 - Advisory draft sent to vendor along with set disclosure date. 14/01/2004 - Contact person replies that the Net.Data team will be contacted again. 22/01/2004 - Vendor confirms vulnerability and provides solution. 26/01/2004 - Public disclosure. ====================================================================== 7) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://www.secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://www.secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://www.secunia.com/secunia_research/2004-1/ ======================================================================
Current thread:
- Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability Carsten H. Eiram (Jan 26)