[scip_Advisory 3809] Pro2col StingRay FTS login username cross site scripting

Credit: Marc Ruef
Risk: Low
Local: No
Remote: No

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Pro2col StingRay FTS login username cross site scripting scip AG Vulnerability ID 3809 (09/12/2008) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809 I. INTRODUCTION StingRay FTS is a file transfer server for Internet communications. Customers are able to transfer files or to send emails via the device. More information is available on the official product web site at the following URL: http://pro2col.com/solutions/products/stingray_fts II. DESCRIPTION Marc Ruef at scip AG found an input validation error within the current release. The initial logon script at /login.jsp that is not protected by any authentication procedure can be used to run arbitrary script code within a cross site scripting attack. Other parts of the application might be affected too. --- cut --- <form name="form_login" method="post" action="verify_login.jsp"> <input type="hidden" name="form_browser_os" value="2"> <input type="hidden" name="form_browser_type" value="2"> <table border="0" cellspacing="0" width="100%" class="loginheadertable"> <tr> <td valign="center" class="loginheadertable">StingRay Login</td> </tr> </table> <img border="0" src="images/line.jpg" width="100%" height="10"></img> <table border="0" cellpadding="5" cellspacing="5" width="100%" class="stdtable"> <tr height="25" valign="middle"> <td width="15%">Benutzername</td> <td width="35%"><input type="text" name="form_username" size="30"></td> <td width="50%"></td> </tr> <tr height="15" valign="middle"> <td>Passwort</td> <td> <input type="password" name="form_password" size="30"> </td> <td></td> </tr> </table> <img border="0" src="images/line.jpg" width="100%" height="10"> <table border="0" cellpadding="5" cellspacing="5" width="100%" class="stdtable"> <tr> <td width="50%" align="right"> <input type="Image" src="images/bt_login_de.gif" name="login" class="formbutton" onClick="SetBrowserParam(this.form);"> </td> <td></td> </tr> </table> </form> --- cut --- III. EXPLOITATION Classic script injection techniques and unexpected input data within a browser session can be used to exploit this vulnerabilities. The approach to verify an insecure installation is possible with a simple form input. Use the following string as user name and a wrong passwort for the proof-of-concept: <script>alert('scip');</script> The script injection happens in this line (between the H3 headers) in the file /verify_login.jsp: <H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3> The detection of vulnerable hosts is possible via Google hacking too as like Johnny Long has documented in his web database[1]. httprecon supports web fingerprinting for such devices too[2]. A plugin for our open-source exploiting framework Attack Tool Kit (ATK) will be published in the future[3]. IV. IMPACT Because non-authenticated parts of the software are affected, this vulnerability is serious for every secure environment. Non-authenticated users might be able to exploit this flaw to gain elevated privileges (e.g. extracting sensitive cookie information or launch a buffer overflow attack against another web browser). However, as Robert Welz with Pro2col told my via email, the discussed login part should be available on the internal interface only. Because other parts of the application might be affected too - this could include some second order vulnerabilities - a severe attack scenario might be possible. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. Usually the mathematical or logical symbols for less-than (<) and greater-than (>) are required to propose a HTML tag. In some cases single (') or double quotes (") are required to inject the code in a given HTML statement. Some implementation of security systems are looking for well-known attack tags as like <script> and attack attributes onMouseOver too. However, these are usually not capable of identifying highly optimized payload. VI. SOLUTION We have informed Pro2col on an early stage. They confirmed the problem and announced a bugfix for a release scheduled in March 2008 initially. A re-scheduling was proposed and no further details provided. Our last request stood unanswered for a long time. VII. VENDOR RESPONSE Pro2col has been informed a first time at 2008/06/12 via email at info-at-pro2col.com. A very kind reply by James Lewis came back a few hours later. Further discussion of the flaw (how to reproduce) were held with Robert Welz. A re-scheduling of the planned patch was proposed. Our last request stood unanswered for a long time. VIII. SOURCES scip AG - Security Consulting Information Process (german) http://www.scip.ch/ scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809 computec.ch document data base (german) http://www.computec.ch/download.php IX. DISCLOSURE TIMELINE 2007/12/05 Identification of the vulnerability 2007/12/06 First information to info-at-pro2col.com 2007/12/07 Immediate reply by and further discussion with James Lewis 2008/01/11 Technical confirmation by Robert Welz 2008/03/18 Status report by Robert Welz 2008/07/08 Offering for re-check of the patch by Robert Welz 2008/07/09 Undefined re-scheduling of the patch 2008/08/29 Last request for actual status (no reply) 2008/09/12 Public advisory X. CREDITS The vulnerabilities were discovered by Marc Ruef. Marc Ruef, scip AG, Zuerich, Switzerland maru-at-scip.ch http://www.scip.ch/ A1. BIBLIOGRAPHY [1] http://www.computec.ch/projekte/httprecon/ [2] http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1814 [3] http://www.computec.ch/projekte/atk/ A2. LEGAL NOTICES Copyright (c) 2007-2008 scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory.



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com


Back to Top