BlueSocket web administration is vulnerable to XSS

2006.12.08
Credit: ISecAuditors
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

============================================= INTERNET SECURITY AUDITORS ALERT 2006-007 - Original release date: April 27, 2006 - Last revised: December 1, 2006 - Discovered by: Jesus Olmos Gonzalez - Severity: 2/5 ============================================= I. VULNERABILITY ------------------------- The BlueSocket web administration is vulnerable to a Cross Site Scripting attack. II. BACKGROUND ------------------------- BSC 2100 product is included in the Blue Secure Family (www.bluesocket.com) BlueSecure Controllers provide high-performance, reliable, policy-based WLAN security and management solutions that have been deployed by hundreds of large institutions, enterprises, and public access providers. III. DESCRIPTION ------------------------- The admin.pl perl code don't sanitize the imputs and then wen it tries to rewrite the username at the input, html + script code could be rewrited and executed by the browser. This crossite is in the administration of the security product, it has been tested only in BSC 2100. Is it possible to send a fake email to the admin spoofing the product address, saying that the configuration is not ok and sending the special link. If the admin press the link and validate in aparently normal interface, his credentials will be sended to the attacker. If this is done with a good social engineering will be a great risk. IV. PROOF OF CONCEPT ------------------------- This POC will inject some html to modify the look and feel of the authentication, and attacker could inject script code to send credentials to him. https://somehost.somedomain.org/admin.pl?ad_name=%22%3E%3Ch1%3EXSS%20BUG %3C/h1%3E%3C!-- V. BUSINESS IMPACT ------------------------- Credentials could be stolen due social engineering attacks. VI. SYSTEMS AFFECTED ------------------------- Versions prior 5.2 or without 5.1.1-BluePatch VII. SOLUTION ------------------------- Update to 5.2 version or apply 5.1.1-BluePatch VIII. REFERENCES ------------------------- Vulnerability item number 4484 in the Bluepatch V6 for 5.1.1.1 Release Notes. IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- April 27, 2006: Initial vendor contact. April 28, 2006: Vendor updates its near patch. June 21, 2006: Publication of the patch. September 16, 2006: Vendor confirms inclusion in referenced patch. September 17, 2006: Advisory revised. XI. DISCLOSURE TIMELINE ------------------------- April 26, 2006: The vulnerability discovered by Internet Security Auditors. December 1, 2006: Advisory finally Published XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top