Network Security: Detailed info on [Full-disclosure] SEC-Consult SA 20051025-1

Subject:	[Full-disclosure] SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS
Date:	Tue, 25 Oct 2005 22:26:32 +0200

SEC-CONSULT Security Advisory 20051025-1
=====================================================================
                  title: RSA ACE Web Agent XSS
                program: RSA ACE/Agent for Web
     vulnerable version: 5.1, 5.1.1
                         newer versions may be vulnerable
               homepage: www.rsasecurity.com
                  found: 2005-10
                     by: SEC-CONSULT / www.sec-consult.com
=====================================================================
Vendor description:
---------------

RSA Authentication Agent software intercepts access requests—whether
local or remote—from users or groups of users and directs them to the
RSA Authentication Manager program for authentication. Once verified,
permission to access protected resources is granted.


Vulnerabilty overview:
---------------

RSA Authentication Agent for Web 5.1 is prone to a Cross site scripting
vulnerability. Please note that this is issue is different from
CAN-2003-0389.


Vulnerability details:
---------------

Due to missing input validation it is possible to inject client side
scripts into the "image" - parameter.

example:

---cut here---

http://[SERVER]/webauthentication?GetPic?
image=x%3Cimg%20src=%22A%22+onError=%22javascript:alert('Thanks%20for%20turning%20on%20the%20remotecontrol')%3b%22%3Exxx

---cut here---


Recommended fixes
---------------

Whitelist allowed characters in userinput.


Vulnerable versions:
---------------

This flaw was discovered in version 5.1 of RSA Agent for Web. No other
versions were available for testing. Web Agents >5.1 may also be vulnerable.


Vendor status:
---------------

RSA Security was notified of this issue several times. However, this
would not inspire them to do further investigation on the flaw.


General remarks
---------------
We know that version 5.1 ist not supported any more and we would like to
apologize in advance for potential nonconformities and/or known issues.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF SEC Consult / @2005
research at sec-consult dot com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS, Bernhard Mueller <= Re: [Full-disclosure] SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS, H D Moore

Previous by Date:	[Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability, Bernhard Mueller
Next by Date:	Re: [Full-disclosure] SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS, H D Moore
Previous by Thread:	[Full-disclosure] SEC-Consult SA 20051025-0 :: Snoopy Remote Code Execution Vulnerability, Bernhard Mueller
Next by Thread:	Re: [Full-disclosure] SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS, H D Moore
Indexes:	[Date] [Thread] [Top] [All Lists]

[Full-disclosure] SEC-Consult SA 20051025-1 :: RSA ACE Web Agent XSS