Avaya IP Office Customer Call Reporter XSS

Type packetstorm
Reporter MustLive
Modified 2013-08-22T00:00:00


                                            `Hello list!  
I want to warn you about vulnerabilities in Avaya IP Office Customer Call  
Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site  
Scripting) vulnerabilities.  
After I found multiple vulnerabilities in Avaya IP Office Customer Call  
Reporter in December, I informed ZDI about them (critical ones). ZDI was  
very slow in processing these holes (regardless of my remindings) and only  
at 30th of July they begun actively working with them. I wrote about this  
case with ZDI in WASC Mailing List  
When Avaya ignored my informing in July and ZDI stopped working on this case  
in August (since Avaya was not responding to them also), I published these  
two vulnerabilities (the least critical). There are many other  
vulnerabilities, including critical holes which allow to take control over  
admin panel, so Avaya still has a chance to get details of vulnerabilities  
in their product before public disclosure.  
Affected products:  
Vulnerable are Avaya IP Office Customer Call Reporter (tested in  
December 2012) and (tested recently) and previous versions.  
Affected vendors:  
Avaya Inc.  
Remote HTML Include (Frame Injection) (WASC-12):  
Remote XSS Include (Cross-Site Scripting) (WASC-08):  
2012.12.06 - found multiple vulnerabilities (these ones and other critical  
2012.12.13 - informed ZDI about other critical vulnerabilities.  
2012.12.18 - again informed ZDI about other critical vulnerabilities.  
2013.01.27 - registered at zerodayinitiative.com and informed them through  
the site. ZDI started working on the case.  
2013.07.28 - informed Avaya (via two contact forms) about these holes and  
other critical vulnerabilities, due to slowness of ZDI.  
2013.07.29 - wrote about ZDI in WASC Mailing List.  
2013.07.30 - if earlier ZDI only pretended they work on the case, then this  
time they started working actively on it (and tried to contact Avaya).  
2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was  
not responding.  
2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/).  
Best wishes & regards,  
Administrator of Websecurity web site