ID VU:802596 Type cert Reporter CERT Modified 2012-11-08T13:32:00
Description
Overview
The Pattern Insight web interface contains multiple vulnerabilities.
Description
CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-4935: Pattern Insight: CSRF protections do not exist
When an already authorized victim navigates to a malicious site containing a hidden form request, it is possible for the malicious site to make authenticated requests to Pattern Insight on behalf of the victim.
CWE-16: Configuration: CVE-2012-4936: Pattern Insight: clickjacking/framing vulnerability
It is possible to frame the application and thus is vulnerable to clickjacking. This can be mitigated by adding "X-Frame-Options" => "DENY" to the response headers. Furthermore, frame busting code can be added to the application for further protection and in the case that the victim's browser does not support X-Frame-Options. See <https://www.owasp.org/index.php/Clickjacking>
CWE-384: Session Fixation CVE-2012-4937: Pattern Insight: Insecure session management leading to privilege escalation
Pattern Insight session management is insecure, making privilege escalation and authentication bypass possible. When a user logs into Pattern Insight, the user's browser either has or does not have a jsession_id session cookie associated with the Pattern Insight domain. If the user does not have a session cookie associated with the Pattern Insight domain, the server provides the user a jsession_id and associates that session id with the user's current session. If the user already has a session cookie associated with the Pattern Insight domain, the server checks the "validity" of the session cookie. If the cookie is of "valid" form, the server associates the provided jsession_id session cookie with user's new session.
Attack scenario:
1. Attacker obtains a "valid" session key.
2. Attacker sets victim's jsession_id session cookie with the "valid" session key in step 1
3. The attacker now knows the session id of a valid session
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-4938: Pattern Insight: HTML Injection In Banner Message
An admin can edit the banner message seen by all users. HTML is allowed in this message. A possible solution is anti-samy for whitelisting where HTML is still needed (<https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project>).
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-4950 Pattern Insight: HTML Injection In Keyword Search page
The error messages on the Keyword Search page do not properly escape characters after encountering a character that the backend cannot parse. This results in a reflective XSS if an attacker sends a victim a properly crafted URL and the victim visits the application using that link.
Impact
An attacker with access to the Pattern Insight web interface can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which could be used to result in information leakage, privilege escalation, and/or denial of service. Also, with the ability to frame the application, an attacker can perform clickjacking attacks.
Solution
We are currently unaware of a practical solution to this problem.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Pattern Insight web interface using stolen credentials from a blocked network location.
Vendor Information
802596
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Pattern Insight Affected
Notified: September 07, 2012 Updated: October 24, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
{"id": "VU:802596", "type": "cert", "bulletinFamily": "info", "title": "Pattern Insight 2.3 contains multiple vulnerabilities", "description": "### Overview\n\nThe Pattern Insight web interface contains multiple vulnerabilities.\n\n### Description\n\n[CWE-352](<http://cwe.mitre.org/data/definitions/352.html>): Cross-Site Request Forgery (CSRF) CVE-2012-4935: Pattern Insight: CSRF protections do not exist\n\nWhen an already authorized victim navigates to a malicious site containing a hidden form request, it is possible for the malicious site to make authenticated requests to Pattern Insight on behalf of the victim. \n \n[CWE-16](<http://cwe.mitre.org/data/definitions/16.html>): Configuration: CVE-2012-4936: Pattern Insight: clickjacking/framing vulnerability \nIt is possible to frame the application and thus is vulnerable to clickjacking. This can be mitigated by adding \"X-Frame-Options\" => \"DENY\" to the response headers. Furthermore, frame busting code can be added to the application for further protection and in the case that the victim's browser does not support X-Frame-Options. See <https://www.owasp.org/index.php/Clickjacking> \n \n[CWE-384](<http://cwe.mitre.org/data/definitions/384.html>): Session Fixation CVE-2012-4937: Pattern Insight: Insecure session management leading to privilege escalation \nPattern Insight session management is insecure, making privilege escalation and authentication bypass possible. When a user logs into Pattern Insight, the user's browser either has or does not have a jsession_id session cookie associated with the Pattern Insight domain. If the user does not have a session cookie associated with the Pattern Insight domain, the server provides the user a jsession_id and associates that session id with the user's current session. If the user already has a session cookie associated with the Pattern Insight domain, the server checks the \"validity\" of the session cookie. If the cookie is of \"valid\" form, the server associates the provided jsession_id session cookie with user's new session. \n \nAttack scenario: \n1\\. Attacker obtains a \"valid\" session key. \n2\\. Attacker sets victim's jsession_id session cookie with the \"valid\" session key in step 1 \n3\\. The attacker now knows the session id of a valid session \n \n[CWE-79](<http://cwe.mitre.org/data/definitions/79.html>): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-4938: Pattern Insight: HTML Injection In Banner Message \nAn admin can edit the banner message seen by all users. HTML is allowed in this message. A possible solution is anti-samy for whitelisting where HTML is still needed (<https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project>). \n \n[CWE-79](<http://cwe.mitre.org/data/definitions/79.html>): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVE-2012-4950 Pattern Insight: HTML Injection In Keyword Search page \nThe error messages on the Keyword Search page do not properly escape characters after encountering a character that the backend cannot parse. This results in a reflective XSS if an attacker sends a victim a properly crafted URL and the victim visits the application using that link. \n \n--- \n \n### Impact\n\nAn attacker with access to the Pattern Insight web interface can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which could be used to result in information leakage, privilege escalation, and/or denial of service. Also, with the ability to frame the application, an attacker can perform clickjacking attacks. \n \n--- \n \n### Solution\n\nWe are currently unaware of a practical solution to this problem. \n \n--- \n \n**Restrict access** \n \nAs a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Pattern Insight web interface using stolen credentials from a blocked network location. \n \n--- \n \n### Vendor Information\n\n802596\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Pattern Insight Affected\n\nNotified: September 07, 2012 Updated: October 24, 2012 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 6 | AV:N/AC:M/Au:S/C:P/I:P/A:P \nTemporal | 4.6 | E:POC/RL:W/RC:UC \nEnvironmental | 1.2 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://cwe.mitre.org/data/definitions/352.html>\n * <http://cwe.mitre.org/data/definitions/79.html>\n * <http://cwe.mitre.org/data/definitions/16.html>\n * <http://cwe.mitre.org/data/definitions/384.html>\n * <https://www.owasp.org/index.php/Clickjacking>\n * <https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project>\n * <https://owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet>\n * <https://www.owasp.org/index.php/Clickjacking#Defending_against_Clickjacking>\n * <https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet>\n\n### Acknowledgements\n\nThanks to the reporter who wishes to remain anonymous.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-4935](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-4935>), [CVE-2012-4936](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-4936>), [CVE-2012-4937](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-4937>), [CVE-2012-4938](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-4938>), [CVE-2012-4950](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-4950>) \n---|--- \n**Date Public:** | 2012-11-02 \n**Date First Published:** | 2012-11-02 \n**Date Last Updated: ** | 2012-11-08 13:32 UTC \n**Document Revision: ** | 17 \n", "published": "2012-11-02T00:00:00", "modified": "2012-11-08T13:32:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "href": "https://www.kb.cert.org/vuls/id/802596", "reporter": "CERT", "references": ["http://cwe.mitre.org/data/definitions/352.html", "http://cwe.mitre.org/data/definitions/79.html", "http://cwe.mitre.org/data/definitions/16.html", "http://cwe.mitre.org/data/definitions/384.html", "https://www.owasp.org/index.php/Clickjacking", "https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project", "https://owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet", "https://www.owasp.org/index.php/Clickjacking#Defending_against_Clickjacking", "https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet"], "cvelist": ["CVE-2012-4935", "CVE-2012-4936", "CVE-2012-4937", "CVE-2012-4938", "CVE-2012-4950"], "immutableFields": [], "lastseen": "2021-09-28T17:50:46", "viewCount": 17, "enchantments": {"score": {"value": 6.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-4935", "CVE-2012-4936", "CVE-2012-4937", "CVE-2012-4938", "CVE-2012-4950"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-4935", "CVE-2012-4936", "CVE-2012-4937", "CVE-2012-4938", "CVE-2012-4950"]}]}, "exploitation": null, "vulnersScore": 6.0}, "_state": {"dependencies": 1647589307, "score": 0}}
{"cve": [{"lastseen": "2022-03-23T13:06:00", "description": "Cross-site scripting (XSS) vulnerability in the Keyword Search page in the web interface in Pattern Insight 2.3 allows remote attackers to inject arbitrary web script or HTML via crafted characters that are not properly handled during construction of error messages.", "cvss3": {}, "published": "2012-11-18T21:55:00", "type": "cve", "title": "CVE-2012-4950", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4950"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:patterninsight:pattern_insight:2.3"], "id": "CVE-2012-4950", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4950", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:patterninsight:pattern_insight:2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:05:46", "description": "Session fixation vulnerability in the web interface in Pattern Insight 2.3 allows remote attackers to hijack web sessions via a jsession_id cookie.", "cvss3": {}, "published": "2012-11-18T21:55:00", "type": "cve", "title": "CVE-2012-4937", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4937"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:patterninsight:pattern_insight:2.3"], "id": "CVE-2012-4937", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4937", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:patterninsight:pattern_insight:2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:05:48", "description": "Cross-site scripting (XSS) vulnerability in the web interface in Pattern Insight 2.3 allows remote authenticated administrators to inject arbitrary web script or HTML via the banner message.", "cvss3": {}, "published": "2012-11-18T21:55:00", "type": "cve", "title": "CVE-2012-4938", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4938"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:patterninsight:pattern_insight:2.3"], "id": "CVE-2012-4938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4938", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:patterninsight:pattern_insight:2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:05:46", "description": "The web interface in Pattern Insight 2.3 allows remote attackers to conduct clickjacking attacks via a FRAME element.", "cvss3": {}, "published": "2012-11-18T21:55:00", "type": "cve", "title": "CVE-2012-4936", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4936"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:patterninsight:pattern_insight:2.3"], "id": "CVE-2012-4936", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4936", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:patterninsight:pattern_insight:2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:05:44", "description": "Cross-site request forgery (CSRF) vulnerability in the web interface in Pattern Insight 2.3 allows remote attackers to hijack the authentication of arbitrary users.", "cvss3": {}, "published": "2012-11-18T21:55:00", "type": "cve", "title": "CVE-2012-4935", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4935"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:patterninsight:pattern_insight:2.3"], "id": "CVE-2012-4935", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4935", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:patterninsight:pattern_insight:2.3:*:*:*:*:*:*:*"]}]}
