4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.832 High
EPSS
Percentile
98.5%
**Title:**Multiple XSS in Sun Communications Express
**Advisory ID:**CORE-2009-0109
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/sun-communications-express>
**Date published:**2009-05-20
**Date of last update:**2009-05-20
**Vendors contacted:**Sun Microsystems
**Release mode:**Coordinated release
**Class:**Cross site scripting (XSS)
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
Bugtraq ID:34154, 34155
CVE Name:CVE-2009-1729
Several cross-site scripting vulnerabilities were found in the following files/urls of the Sun Java System Communications Express :
https://<server>/uwc/abs/search.xml?
http://<server>/uwc/base/UWCMain
Cross-site scripting (XSS) vulnerabilities [1], [2] allow an attacker to execute arbitrary scripting code in the context of the user browser (in the vulnerable application’s domain). For example, an attacker could exploit a XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or fake a page requesting information to the user (i.e. credentials). This vulnerability occurs when user-supplied data is displayed without encoding.
The Sun Alert for this issue has been assigned id 258068 and it is available at the following URL: <http://sunsolve.sun.com/search/document.do?assetkey=1-26-258068-1>.
These vulnerabilities were discovered by the SCS team from Core Security Technologies.
Cross-Site Scripting (commonly referred to as XSS) attacks are the result of improper encoding or filtering of input obtained from untrusted sources. Basically, they consist in the attacker injecting malicious tags and/or script code that is executed by the user’s web browser when accessing the vulnerable web site. The injected code then takes advantage of the trust given by the user to the vulnerable site. These attacks are usually targeted at all users of a web application rather than at the application itself (although one could say that the users are affected because of a vulnerability of the web application). The term ‘cross-site scripting’ is also sometimes used in a broader-sense referring to different types of attacks involving script injection into the client. For additional information, please look at the references [1], [2], [3], [4] and [5].
Cross-site scripting vulnerabilities were found in the following file/url:
https://<server>/uwc/abs/search.xml?
This is part of the ‘Personal Address Book->Add contact’ functionality. Although the affected URL is originally accessed through a POST request, this vulnerability can be exploited both with a GET and with a POST request. Using the following variables:
abperson_displayName
The contents of the variables previously mentioned are not being encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert javascript code.
The following code is a proof of concept of this flaw:
https://<server>/uwc/abs/search.xml?bookid=e11e46531a8a0&j_encoding=UTF-8&uiaction=quickaddcontact&entryid=&valueseparator=%3B&prefix=abperson_&stopalreadyselected=1&isselchanged=0&idstoadd=&selectedbookid=&type=abperson%2Cgroup&wcfg_groupview=&wcfg_searchmode=&stopsearch=1&expandgroup=&expandselectedgroup=&expandonmissing=&nextview=&bookid=e11e46531a8a0&actionbookid=e11e46531a8a0&searchid=7&filter=entry%2Fdisplayname%3D*&firstentry=0&sortby=%2Bentry%2Fdisplayname&curbookid=e11e46531a8a0&searchelem=0&searchby=contains&searchstring=Search+for&searchbookid=e11e46531a8a0&abperson_givenName=aa&abperson_sn=aa&abperson_piEmail1=a%40a.com&abperson_piEmail1Type=work&abperson_piPhone1=11&abperson_piPhone1Type=work&quickaddprefix=abperson_&abperson_displayName=%3Cscript%3Ealert%28%27xss2%27%29%3C%2Fscript%3E%2C+%3Cscript%3Ealert%28%27xss1%27%29%3C%2Fscript%3E&abperson_entrytype=abperson&abperson_memberOfPIBook=e11e46531a8a0
Cross-site scripting vulnerabilities were found in the following file/url:
http://<server>/uwc/base/UWCMain
The contents of the url are not being encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert javascript code.
This vulnerability can be exploited through a GET request, and the user does not need to be logged into the web application. This makes this cross-site scripting vulnerability perfect to be used by attackers on email-based attacks. An attacker can send via email a link to a ‘calendar’ and ‘exploit’ the victim.
The following code is a proof of concept of this flaw:
http://<server>/uwc/base/UWCMain?anon=true&[email protected]&caltype=temporaryCalids&date=20081223T143836Z&category=All&viewctx=day&[email protected]%27;alert(%27hello%27);a=%27
[1] HTML Code Injection and Cross-Site Scripting
<http://www.technicalinfo.net/papers/CSS.html>.
[2] The Cross-Site Scripting FAQ (XSS)
<http://www.cgisecurity.com/articles/xss-faq.shtml>
[3] How to prevent Cross-Site Scripting Security Issues
<http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985>
[4] How to review ASP Code for CSSI Vulnerability
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119>
[5] How to review Visual InterDev Generated Code for CSSI Vulnerability
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;253120>
[6] HTTP Response Splitting vulnerability in Sun Delegated Administrator - <https://www.coresecurity.com/content/sun-delegated-administrator>
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <https://www.coresecurity.com/core-labs>.
Core Security develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company’s flagship product, Core Impact, is the most comprehensive product for performing enterprise security assurance testing. Core Impact evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing.
The contents of this advisory are copyright © 2009 Core Security Technologies and © 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security advisories team.