Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple XSS issues in Sun AnswerBook2

from [B00B00] Network Security [Permanent Link]
Subject: Multiple XSS issues in Sun AnswerBook2
Date: 28 Mar 2005 19:04:52 -0000 


PTT SECURITY ADVISORY
DATE: 08-02-2005
AUTHOR: THOMAS LIAM ROMANIS
CURRENT EMPLOYER: Echelon Ltd
VENDOR: Sun
PRODUCT: Sun AnswerBook2
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].

Summary.

A number of issues have been identified in Sun Answerbook2. The first is AN xss 
issue in the Sun Answerbook2 Search function and the other is an attack vector 
issue in the administrative function for viewing Access and Error log files.

Detail.

1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
This issue could be used for misinformation purposes but probably little else. 
As a result the impact of this issue is likely to be low. 

http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+

It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web 
Server. In this case, depending on the function of the server, a more serious 
exposure could result. 

2. Administration Attack Vector issue.[CAN-2005-0549]
When the Answerbook2 administrator opts to view the Access log file ( 
/var/log/ab2/logs/access-8888.log) or Error log file ( 
/var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than 
plain text. As a result a number of different methods could be used to launch 
attacks against the Answerbook2 administrator. For example, If an XSS attempt 
has been made on another part of the application, even if it was not 
immediately successful, it will execute during the display of the Access or 
Error log files. Thus attacks could be waged via browser vulnerabilities 
against the Sun AnswerBook2 Administrator who may have escalated privileges on 
the host operating system.

http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access

Remedial Action.

The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 
Release Notes list the feature 

removal here: 

http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view

Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the 
other currently supported 

releases of Solaris and they are impacted by this issue. Sun isn't planning on 
producing further patches for 

the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert 
recommends disabling AnswerBook2 and 

using other sources of documentation, namely the Solaris Documentation CD and 
online formats at 

http://docs.sun.com.

The Alert Released by Sun can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple XSS issues in Sun AnswerBook2, B00B00 <=
Previous by Date:  RE: Re: Symantec Antivirus client locally created scheduled scan is not running if the local console is logged off, Eitan Caspi
Next by Date:  phishing sites report - March/2005, Gadi Evron
Previous by Thread:  Multiple XSS vulnerabilities in ACS Blog, Dan Crowley
Next by Thread:  phishing sites report - March/2005, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]