Ericsson Drutt MSDP (Report Viewer) Cross Site Scripting

2015.04.01

Credit: Anastasios Monachos (secuid0)

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2015-2165

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

+----------------------------------------------------------------------+
+ Ericsson Drutt MSDP (Report Viewer) - Cross Site Scripting Injection +
+----------------------------------------------------------------------+
Affected Product: Ericsson Drutt MSDP (Report Viewer)
Vendor Homepage	: www.ericsson.com
Version		: 4, 5 and 6 
CVE v2 Vector	: AV:N/AC:M/Au:N/C:N/I:P/A:N
CVE		: CVE-2015-2165
Discovered by	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]

+-------------+
+ Description +
+-------------+
Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf.

The Report Viewer component contains a vulnerability (at multiple user-supplied input points) that could allow an unauthenticated, remote attacker to execute arbitrary code in the user's browser session in the context of the affected site. 

+----------------------+
+ Exploitation Details +
+----------------------+
The vulnerable input points and respective URL paths are listed below:

1. http://<drutt:port>/reports/pages/top-links.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=clicks&sortDirection=desc&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=&atype=[XSS]&atitle=[XSS]

2. http://<drutt:port>/reports/pages/page-summary.jsp?portal=[XSS]&uid=[XSS]

3. http://<drutt:port>/reports/pages/top-useragent-devices.jsp?portal=[XSS]

4. http://<drutt:port>/reports/pages/service-summary.jsp?portal=[XSS]&uid=[XSS]

5. http://<drutt:port>/reports/pages/top-useragent-devices.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=reqs&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

6. http://<drutt:port>/reports/pages/top-interest-areas.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=urs&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

7. http://<drutt:port>/reports/pages/top-message-services.jsp?interval=Y&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=urs&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

8. http://<drutt:port>/reports/pages/user-statistics.jsp?portal=[XSS]&interval=Y&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

9. http://<drutt:port>/reports/pages/message-shortcode-summary.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&
usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=9397[XSS]&uid2=[XSS]&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=XSS

10. http://<drutt:port>/reports/pages/message-providers-summary.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

11. http://<drutt:port>/reports/pages/license-summary.jsp?interval=D&fromDate=2015-02-11&toDate=2015-02-12&fromTime=00&toTime=00&usercategory=&orderBy=ival&sortDirection=desc&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

12. http://<drutt:port>/reports/pages/top-web-pages.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

13. http://<drutt:port>/reports/pages/top-devices.jsp?portal=[XSS]&interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

14. http://<drutt:port>/reports/pages/top-pages.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

15. http://<drutt:port>/reports/pages/useragent-device-summary.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=[XSS]&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

16. http://<drutt:port>/reports/pages/message-services-summary.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

17. http://<drutt:port>/reports/pages/top-message-providers.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

18. http://<drutt:port>/reports/pages/top-message-devices.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

19. http://<drutt:port>/reports/pages/top-message-assets.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

20. http://<drutt:port>/reports/pages/top-message-downloads.jsp?interval=M&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

21. http://<drutt:port>/reports/pages/top-message-shortcode.jsp?interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

22. http://<drutt:port>/reports/pages/request-summary.jsp?interval=D&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=ival&sortDirection=desc&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

23. http://<drutt:port>/reports/pages/link-summary-select.jsp?portal=[XSS]

24. http://<drutt:port>/reports/pages/link-summary.jsp?portal=[XSS]&interval=M&fromDate=2014-02&toDate=2015-02&fromTime=17&toTime=18&usercategory=&orderBy=ival&sortDirection=desc&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

25. http://<drutt:port>/reports/pages/session-summary.jsp?portal=[XSS]&show=a&interval=M&fromDate=2014-02[XSS]&toDate=2015-02[XSS]&fromTime=17[XSS]&toTime=18[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

26. http://<drutt:port>/reports/pages/provider-summary-select.jsp?portal=[XSS]

27. http://<drutt:port>/reports/pages/provider-summary.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

28. http://<drutt:port>/reports/pages/top-providers.jsp?portal=[XSS]

29. http://<drutt:port>/reports/pages/module-summary-select.jsp?portal=[XSS]

30. http://<drutt:port>/reports/pages/module-summary.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&orderBy=[XSS]&sortDirection=[XSS]&uid=[XSS]&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

31. http://<drutt:port>/reports/pages/top-providers.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

32. http://<drutt:port>/reports/pages/top-modules.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

33. http://<drutt:port>/reports/pages/top-services.jsp?portal=[XSS]&interval=H&fromDate=[XSS]&toDate=[XSS]&fromTime=[XSS]&toTime=[XSS]&usercategory=&top=10&sortOrder=asc&orderBy=[XSS]&sortDirection=[XSS]&uid=&uid2=&kword=[XSS]&uname=[XSS]&pname=[XSS]&sname=[XSS]&file=[XSS]&atype=[XSS]&atitle=[XSS]

+---------------------+
+ Disclosure Timeline +
+---------------------+
17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback
24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office
24.Feb.2015 - Contacted Corporate Security Office team
02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel
02.Mar.2015 - Shared vulnerability details
06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches
08.Mar.2015 - Agreed on public disclosure timelines
31.Mar.2015 - Public disclosure

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Ericsson Drutt MSDP (Report Viewer) Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.