Telligent Community Server 5.x Cross Site Scripting

2011-08-04T00:00:00
ID PACKETSTORM:103725
Type packetstorm
Reporter Gabriel Lima
Modified 2011-08-04T00:00:00

Description

                                        
                                            `Editor's note: 4 Advisories are grouped together here.  
  
=======================================================================  
*Community Server - Stored Cross-site Scripting in user's signature.  
*  
- Product description:  
Community Server is a communities and collaboration web application  
developed by Telligent.  
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From it's  
5.0 version, the software was renamed to Telligent Community.  
  
  
- Vulnerability Details:  
It is possible to insert scripts (Cross-site Scripting) in user's signature,  
using BBCode Tag's processing errors.  
  
  
- Proof of Concept:  
Set an user's signature to:  
  
[img]invalid.jpg[url= onerror=alert(1) z=] a[/url][/img]  
  
An alert will be show in every topic the user posts in and also in its  
profile.  
  
  
- Affected Versions:  
Community Server 2007  
(may affect others)  
  
  
- Unaffected Versions:  
Telligent Community 5.x or earlier  
  
  
- Timeline:  
[05/25/10] Vulnerability details sent to address for security related  
contacts present at company's website, although the address did not exist.  
[05/26/10] Ticket opened asking for contact to send off vulnerability  
details.  
[05/26/10] Ticket's answer received, containing e-mail for the sending of  
vulnerability details.  
[05/26/10]Vulnerability details sent.  
[05/26/10] Answer received informing that vulnerability did not exist on  
latest versions of the product.  
[07/15/11] Advisory published.  
  
- Credits:  
PontoSec - Segurança da Informação < http://www.pontosec.com > - Researcher:  
Gabriel Lima (gabriel <at> pontosec.com)  
  
  
  
=======================================================================  
Community Server - Reflected Cross-Site Scripting - TagSelector.aspx  
  
- Product description:  
Community Server is a communities and collaboration web application  
developed by Telligent.  
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From  
it's 5.0 version, the software was renamed to Telligent Community.  
  
- Vulnerability Details:  
It is possible to insert scripts at the page (Cross-site Scripting)  
through the TagEditor parameter (GET) from /utility/TagSelector.aspx.  
  
- Proof of Concept:  
When accessing the TagSelector.aspx file, setting the TagEditor value  
as “ ‘);%0Aalert(1);</script> ”, an alert box containing a number 1  
appears, confirming the vulnerability.  
  
Example: http://site.example/utility/TagSelector.aspx?TagEditor=’);%0Aalert(1);</script>  
  
  
- Affected Versions:  
Community Server 2007  
Community Server 2008  
(may affect others)  
  
- Unaffected Versions:  
Telligent Community 5.x or earlier  
  
- Timeline:  
[05/25/10] Vulnerability details sent to address for security related  
contacts present at company's website, although the address did not  
exist.  
[05/26/10] Ticket opened asking for contact to send off vulnerability details.  
[05/26/10] Ticket's answer received, containing e-mail for the sending  
of vulnerability details.  
[05/26/10] Vulnerability details sent.  
[05/26/10] Answer received informing that vulnerability did not exist  
on latest versions of the product.  
[07/15/11] Advisory published.  
  
Credits:  
PontoSec - Segurança da Informação < http://www.pontosec.com > -  
Researcher: Gabriel Lima (gabriel <at> pontosec.com)  
  
  
=======================================================================  
Community Server - Reflected Cross-Site Scripting - TagSelector.aspx  
  
- Product description:  
Community Server is a communities and collaboration web application  
developed by Telligent.  
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From  
it's 5.0 version, the software was renamed to Telligent Community.  
  
- Vulnerability Details:  
It is possible to insert scripts at the page (Cross-site Scripting)  
through the TagEditor parameter (GET) from /utility/TagSelector.aspx.  
  
- Proof of Concept:  
When accessing the TagSelector.aspx file, setting the TagEditor value  
as “ ‘);%0Aalert(1);</script> ”, an alert box containing a number 1  
appears, confirming the vulnerability.  
  
Example: http://site.example/utility/TagSelector.aspx?TagEditor=’);%0Aalert(1);</script>  
  
  
- Affected Versions:  
Community Server 2007  
Community Server 2008  
(may affect others)  
  
- Unaffected Versions:  
Telligent Community 5.x or earlier  
  
- Timeline:  
[05/25/10] Vulnerability details sent to address for security related  
contacts present at company's website, although the address did not  
exist.  
[05/26/10] Ticket opened asking for contact to send off vulnerability details.  
[05/26/10] Ticket's answer received, containing e-mail for the sending  
of vulnerability details.  
[05/26/10] Vulnerability details sent.  
[05/26/10] Answer received informing that vulnerability did not exist  
on latest versions of the product.  
[07/15/11] Advisory published.  
  
Credits:  
PontoSec - Segurança da Informação < http://www.pontosec.com > -  
Researcher: Gabriel Lima (gabriel <at> pontosec.com)  
  
  
  
=======================================================================  
Community Server - Stored Cross-site Scripting in user's signature.  
  
- Product description:  
Community Server is a communities and collaboration web application  
developed by Telligent.  
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From  
it's 5.0 version, the software was renamed to Telligent Community.  
  
  
- Vulnerability Details:  
It is possible to insert scripts (Cross-site Scripting) in user's  
signature, using BBCode Tag's processing errors.  
  
  
- Proof of Concept:  
Set an user's signature to:  
  
[img]invalid.jpg[url= onerror=alert(1) z=] a[/url][/img]  
  
An alert will be show in every topic the user posts in and also in its profile.  
  
  
- Affected Versions:  
Community Server 2007  
(may affect others)  
  
  
- Unaffected Versions:  
Telligent Community 5.x or earlier  
  
  
- Timeline:  
[05/25/10] Vulnerability details sent to address for security related  
contacts present at company's website, although the address did not  
exist.  
[05/26/10] Ticket opened asking for contact to send off vulnerability details.  
[05/26/10] Ticket's answer received, containing e-mail for the sending  
of vulnerability details.  
[05/26/10]Vulnerability details sent.  
[05/26/10] Answer received informing that vulnerability did not exist  
on latest versions of the product.  
[07/15/11] Advisory published.  
  
- Credits:  
PontoSec - Segurança da Informação < http://www.pontosec.com > -  
Researcher: Gabriel Lima (gabriel <at> pontosec.com)  
`