Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [scip_Advisory 3159] SiteScape forum prior 7.3 Cross S

from [Marc Ruef] Network Security [Permanent Link]
Subject: [Full-disclosure] [scip_Advisory 3159] SiteScape forum prior 7.3 Cross Site Scripting
Date: Fri, 13 Jul 2007 09:14:14 +0200 
SiteScape forum prior 7.3 Cross Site Scripting

scip AG Vulnerability ID 3159 (07/13/2007)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3159

I. INTRODUCTION

SiteScape forum is a commercial web forum. It uses presence to connect 
teams through phone, IM, chat, SMS and email, as well as voice- and 
web-conferencing. The application also supports online threaded 
discussions and creation of content through blogs, wikis and 
workflow-driven document and task management.

More information is available at the official web site at the following URL:

     http://www.sitescape.com/

II. DESCRIPTION

Marc Ruef at scip AG found an input validation error within SiteScape 
Forum prior release 7.3.

Some scripts that are not protected by any authentication procedure can 
be used to run arbitrary script code within a cross site scripting attack.

Other parts of the application might be affected too.

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a 
browser session can be used to exploit this vulnerabilities.

The simple approach to verify an insecure installation is within the 
login procedure. Use the following string as user name and a wrong 
passwort for the simple proof-of-concept[1]:

    <script>alert('scip');</script>

A plugin for our open-source exploiting framework "Attack Tool Kit" 
(ATK) will be published in the near future. [2]

IV. IMPACT

Because non-authenticated parts of the software are affected, these 
vulnerabilities are serious for every secure environment. 
Non-authenticated users might be able to exploit this flaw to gain 
elevated privileges (e.g. extracting sensitive cookie information or 
launch a buffer overflow attack against another web browser).

Because other parts of the application might be affected too - this 
could include some second order vulnerabilities - a severe attack 
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or 
intrusion detection system. Patterns for such a detection are available 
and easy to implement.

VI. SOLUTION

We have informed SiteScape on a very early stage. They told us that the 
problem was not announced within a public advisory. But it is already 
solved within the latest release of the discussed software. Therefore, 
an upgrade to SiteScape Forum 7.3 or newer will solve the issues.

VII. VENDOR RESPONSE

SiteScape has been informed a first time at 06/29/2007 via email at 
info-at-sitescape.com. A very kind reply by Chris Pressley came back 
some minutes later. Further discussion of the flaw (how to reproduce) 
and the co-ordination of a public advisory was made.

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3159

computec.ch document data base (german)
http://www.computec.ch/download.php

Die Kunst des Penetration Testing (german)
http://www.amazon.de/dp/3936546495/

IX. DISCLOSURE TIMELINE

06/27/07 Identification of the vulnerabilities
06/29/07 First response to info-at-sitescape.com
06/29/07 Immediate reply by Chris Pressley
07/09/07 Co-ordination of the advisory release
07/13/07 Public advisory

IX. CREDITS

The vulnerabilities were discovered by Marc Ruef.

     Marc Ruef, scip AG, Zuerich, Switzerland
     maru-at-scip.ch
     http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] http://www.amazon.de/dp/3936546495/
[2] http://www.computec.ch/projekte/atk/

A2. LEGAL NOTICES

Copyright (c) 2007 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not 
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time 
of publishing based on currently available information. There are no 
warranties with regard to this information. Neither the author nor the 
publisher accepts any liability for any direct, indirect or 
consequential loss or damage from use of or reliance on this advisory.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [scip_Advisory 3159] SiteScape forum prior 7.3 Cross Site Scripting, Marc Ruef <=
Previous by Date:  [Full-disclosure] TPTI-07-12: Multiple Vendor Progress Server Heap Overflow Vulnerability, TSRT
Next by Date:  [Full-disclosure] iDefense Security Advisory 07.16.07: Trend Micro OfficeScan Session Cookie Buffer Overflow Vulnerability, iDefense Labs
Previous by Thread:  [Full-disclosure] TPTI-07-12: Multiple Vendor Progress Server Heap Overflow Vulnerability, TSRT
Next by Thread:  [Full-disclosure] iDefense Security Advisory 07.16.07: Trend Micro OfficeScan Session Cookie Buffer Overflow Vulnerability, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]