CodeMeter WebAdmin Cross-site Scripting (XSS) Vulnerability

[robkraus@xxxxxxxxxxxxxxx]

Vulnerability title: CodeMeter WebAdmin Cross-site Scripting (XSS) Vulnerability

CVSS Risk Rating: 3.9 (Low)

Product: CodeMeter WebAdmin

Application Vendor: Wibu-Systems

Vendor URL: http://www.codemeter.de

Public disclosure date: 5/30/2011

Discovered by: Rob Kraus and the Solutionary Engineering Research Team (SERT)

Solutionary ID: SERT-VDN-1007

Solutionary public disclosure URL: 
http://www.solutionary.com/index/SERT/Vuln-Disclosures/CodeMeter-WebAdmin.html

Vulnerability Description: The applications web interface contains an injection 
point, which allows for execution of Cross-site Scripting (XSS) attacks. 
Arbitrary client side code such as JavaScript can be included into certain 
parameters throughout the web application. The hardware dongle must be inserted 
in order to reproduce the vulnerability. The following parameters and web pages 
have been tested and verified; however, it is possible additional views and 
parameters within the application may be vulnerable: 

Reflected XSS 
Licenses.html (BoxSerial parameter)

Affected software versions: WebAdmin version 3.30 and 4.30 (previous versions 
may also be vulnerable)

Impact: Successful attacks could disclose sensitive information about the user, 
session, and application to the attacker, resulting in a loss of 
confidentiality. Using XSS, an attacker could  insert malicious code into a web 
page and entice naïve users to execute the malicious code.

Fixed in: Pending - The vendor has logged the issue and anticipates a patch to 
be available in Autumn 2011.

Remediation guidelines: Restrict access to internal network segments and 
monitor vendor notifications for application updates that may address and fix 
the issues identified. Remove the hardware dongle from the affected system when 
not needed.