Endeca Latitude 2.2.2 Cross Site Scripting

`Advisory: Endeca Latitude Cross-Site Scripting  
  
RedTeam Pentesting discovered a Cross-Site Scripting (XSS)  
vulnerability in Endeca Latitude. By exploiting this vulnerability an  
attacker is able to execute arbitrary JavaScript code in the context  
of other Endeca Latitude users.  
  
  
Details  
=======  
  
Product: Endeca Latitude  
Affected Versions: 2.2.2, potentially others  
Fixed Versions: N/A  
Vulnerability Type: Cross-Site Scripting  
Security Risk: high  
Vendor URL: N/A  
Vendor Status: decided not to fix  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003  
Advisory Status: published  
CVE: CVE-2014-2400  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400  
  
  
Introduction  
============  
  
Endeca Latitude is an enterprise data discovery platform for advanced,  
yet intuitive, exploration and analysis of complex and varied data.  
Information is loaded from disparate source systems and stored in a  
faceted data model that dynamically supports changing data. This  
integrated and enriched data is made available for search, discovery,  
and analysis via interactive and configurable applications.  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
Endeca Latitude offers administrators to trigger different functions by  
using the following two URLs (see [1]):  
  
* http://example.com/config?op=<supported-operation>  
* http://example.com/admin?op=<supported-operation>  
  
When accessing such an URL which uses an invalid value for the HTTP GET  
parameter "op", such as  
http://example.com/config?op=RedTeam%20Pentesting, an error message is  
shown by the webapplication and the invalid value is directly embedded  
into the document without prior escaping, which leads to a Cross-Site  
Scripting vulnerability.  
  
  
Proof of Concept  
================  
  
As shown by the following URL, an attacker is able to embed arbitrary  
JavaScript code into the context of the Endeca Latitude instance:  
  
http://example.com/config?op=<script>alert('RedTeam Pentesting');</script>  
  
  
Workaround  
==========  
  
The vendor did not update the vulnerable software, but recommends to  
configure all installations to require mutual authentication using TLS  
certificates for both servers and clients, while discouraging users from  
installing said client certificates in browsers.  
  
  
Fix  
===  
  
Not available. The vendor did not update the vulnerable software to  
remedy this issue.  
  
  
Security Risk  
=============  
  
The vulnerability can be used to embed arbitrary JavaScript code and  
therefore offers a wide range of possible attacks such as stealing  
cookies or displaying a fake login form. Furthermore, an attacker can use  
this vulnerability to control the Endeca Latitude instance by using the  
API implemented by its web service (see [2]). The risk of this  
vulnerability is therefore considered to be high.  
  
  
Timeline  
========  
  
2013-10-06 Vulnerability identified  
2013-10-08 Customer approved disclosure to vendor  
2013-10-15 Vendor notified  
2013-10-17 Vendor responded that investigation/fixing is in progress  
2014-02-24 Vendor responded that bug is fixed and scheduled for a future  
CPU  
2014-03-13 Vendor responded with additional information about a  
potential workaround  
2014-04-15 Vendor releases Critical Patch Update Advisory with little  
information on the proposed fix  
2014-04-16 More information requested from vendor  
2014-05-02 Vendor responds with updated information  
2014-06-25 Advisory released  
  
  
  
References  
==========  
  
[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html  
[2] http://docs.oracle.com/cd/E29220_01/index.htm  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`