answerbook2.txt

🗓️ 29 Mar 2005 00:00:00Reported by Thomas Liam RomanisType

packetstorm🔗 packetstormsecurity.com👁 36 Views

Multiple issues in Sun AnswerBook2 including XSS and attack vector vulnerabilities in search and administrative functions. Remedial action recommended for AnswerBook2 server in Solaris 7 and 8

Reporter	Title	Published	Views	Family All 15
Tenable Nessus	Sun AnswerBook2 < 1.4.5 XSS	8 Mar 200500:00	–	nessus
CVE	CVE-2005-0548	9 Mar 200505:00	–	cve
CVE	CVE-2005-0549	9 Mar 200505:00	–	cve
Cvelist	CVE-2005-0548	9 Mar 200505:00	–	cvelist
Cvelist	CVE-2005-0549	9 Mar 200505:00	–	cvelist
Exploit DB	Sun Solaris AnswerBook2 - Multiple Cross-Site Scripting Vulnerabilities	7 May 200500:00	–	exploitdb
EUVD	EUVD-2005-0549	7 Oct 202500:30	–	euvd
EUVD	EUVD-2005-0550	7 Oct 202500:30	–	euvd
exploitpack	Sun Solaris AnswerBook2 - Multiple Cross-Site Scripting Vulnerabilities	7 May 200500:00	–	exploitpack
NVD	CVE-2005-0548	7 Mar 200505:00	–	nvd

`  
  
PTT SECURITY ADVISORY  
DATE: 08-02-2005  
AUTHOR: THOMAS LIAM ROMANIS  
CURRENT EMPLOYER: Echelon Ltd  
VENDOR: Sun  
PRODUCT: Sun AnswerBook2  
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)  
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].  
  
Summary.  
  
A number of issues have been identified in Sun Answerbook2. The first is AN xss issue in the Sun Answerbook2 Search function and the other is an attack vector issue in the administrative function for viewing Access and Error log files.  
  
Detail.  
  
1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]  
This issue could be used for misinformation purposes but probably little else. As a result the impact of this issue is likely to be low.   
  
http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%  
29%3C%2Fscript%3E&Search=+Search+  
  
It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. In this case, depending on the function of the server, a more serious exposure could result.   
  
2. Administration Attack Vector issue.[CAN-2005-0549]  
When the Answerbook2 administrator opts to view the Access log file ( /var/log/ab2/logs/access-8888.log) or Error log file ( /var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain text. As a result a number of different methods could be used to launch attacks against the Answerbook2 administrator. For example, If an XSS attempt has been made on another part of the application, even if it was not immediately successful, it will execute during the display of the Access or Error log files. Thus attacks could be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who may have escalated privileges on the host operating system.  
  
http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access  
  
Remedial Action.  
  
The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release Notes list the feature   
  
removal here:   
  
http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view  
  
Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other currently supported   
  
releases of Solaris and they are impacted by this issue. Sun isn't planning on producing further patches for   
  
the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends disabling AnswerBook2 and   
  
using other sources of documentation, namely the Solaris Documentation CD and online formats at   
  
http://docs.sun.com.  
  
The Alert Released by Sun can be found at:  
  
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1  
  
`

29 Mar 2005 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.00442