scip-sitescape.txt

`SiteScape forum prior 7.3 Cross Site Scripting  
  
scip AG Vulnerability ID 3159 (07/13/2007)  
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3159  
  
I. INTRODUCTION  
  
SiteScape forum is a commercial web forum. It uses presence to connect   
teams through phone, IM, chat, SMS and email, as well as voice- and   
web-conferencing. The application also supports online threaded   
discussions and creation of content through blogs, wikis and   
workflow-driven document and task management.  
  
More information is available at the official web site at the following URL:  
  
http://www.sitescape.com/  
  
II. DESCRIPTION  
  
Marc Ruef at scip AG found an input validation error within SiteScape   
Forum prior release 7.3.  
  
Some scripts that are not protected by any authentication procedure can   
be used to run arbitrary script code within a cross site scripting attack.  
  
Other parts of the application might be affected too.  
  
III. EXPLOITATION  
  
Classic script injection techniques and unexpected input data within a   
browser session can be used to exploit this vulnerabilities.  
  
The simple approach to verify an insecure installation is within the   
login procedure. Use the following string as user name and a wrong   
passwort for the simple proof-of-concept[1]:  
  
<script>alert('scip');</script>  
  
A plugin for our open-source exploiting framework "Attack Tool Kit"   
(ATK) will be published in the near future. [2]  
  
IV. IMPACT  
  
Because non-authenticated parts of the software are affected, these   
vulnerabilities are serious for every secure environment.   
Non-authenticated users might be able to exploit this flaw to gain   
elevated privileges (e.g. extracting sensitive cookie information or   
launch a buffer overflow attack against another web browser).  
  
Because other parts of the application might be affected too - this   
could include some second order vulnerabilities - a severe attack   
scenario might be possible.  
  
V. DETECTION  
  
Detection of web based attacks requires a specialized web proxy and/or   
intrusion detection system. Patterns for such a detection are available   
and easy to implement.  
  
VI. SOLUTION  
  
We have informed SiteScape on a very early stage. They told us that the   
problem was not announced within a public advisory. But it is already   
solved within the latest release of the discussed software. Therefore,   
an upgrade to SiteScape Forum 7.3 or newer will solve the issues.  
  
VII. VENDOR RESPONSE  
  
SiteScape has been informed a first time at 06/29/2007 via email at   
info-at-sitescape.com. A very kind reply by Chris Pressley came back   
some minutes later. Further discussion of the flaw (how to reproduce)   
and the co-ordination of a public advisory was made.  
  
VIII. SOURCES  
  
scip AG - Security Consulting Information Process (german)  
http://www.scip.ch/  
  
scip AG Vulnerability Database (german)  
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3159  
  
computec.ch document data base (german)  
http://www.computec.ch/download.php  
  
Die Kunst des Penetration Testing (german)  
http://www.amazon.de/dp/3936546495/  
  
IX. DISCLOSURE TIMELINE  
  
06/27/07 Identification of the vulnerabilities  
06/29/07 First response to info-at-sitescape.com  
06/29/07 Immediate reply by Chris Pressley  
07/09/07 Co-ordination of the advisory release  
07/13/07 Public advisory  
  
IX. CREDITS  
  
The vulnerabilities were discovered by Marc Ruef.  
  
Marc Ruef, scip AG, Zuerich, Switzerland  
maru-at-scip.ch  
http://www.scip.ch/  
  
A1. BIBLIOGRAPHY  
  
[1] http://www.amazon.de/dp/3936546495/  
[2] http://www.computec.ch/projekte/atk/  
  
A2. LEGAL NOTICES  
  
Copyright (c) 2007 scip AG, Switzerland.  
  
Permission is granted for the re-distribution of this alert. It may not   
be edited in any way without permission of scip AG.  
  
The information in the advisory is believed to be accurate at the time   
of publishing based on currently available information. There are no   
warranties with regard to this information. Neither the author nor the   
publisher accepts any liability for any direct, indirect or   
consequential loss or damage from use of or reliance on this advisory.  
`