rt-sa-2007-005.txt

`Advisory: ActiveWeb Contentserver CMS Multiple Cross Site Scriptings   
  
RedTeam Pentesting discovered three Cross Site Scripting  
vulnerabilities in the activeWeb contentserver CMS during a penetration  
test. One of the Cross Site Scriptings is persistent.  
  
  
Details  
=======  
  
Product: activeWeb contentserver  
Affected Versions: <= 5.6.2929  
Fixed Versions: 5.6.2964  
Vulnerability Type: Cross Site Scripting  
Security-Risk: high  
Vendor-URL: http://www.active-web.de/aw/home/Produkte/~gf/contentserver/  
Vendor-Status: informed, fixed version released  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-005.php  
Advisory-Status: public  
CVE: CVE-2007-3014  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3014  
  
  
Introduction  
============  
  
contentserver is the comprehensive, scalable Content Management System  
for professional requirements. It combines editorial system, website  
management and development platform for web applications in one package.  
  
(translation of the description on the vendor's homepage)  
  
  
XSS Error Page rights.asp  
=========================  
  
The variable "msg" of the ASP script "rights.asp" is not properly  
filtered.  
  
Proof of Concept  
----------------  
  
http://www.example.com/errors/rights.asp  
?awReadAccessRight=True  
&msg=<script>alert('XSS')</script>  
  
  
XSS Error Page transaction.asp  
==============================  
  
The variable "msg" of the ASP script "transaction.asp" is not properly  
filtered.  
  
Proof of Concept  
----------------  
  
http://www.example.com/errors/transaction.asp  
?msg=<script>alert('XSS')</script>  
  
  
Persistent XSS Mimetypes  
========================  
  
As editors, users can add new mimetypes to the the system. The name of  
the new mimetype can contain arbitrary code. This allows for a  
persistent Cross Site Scripting.  
  
Proof of Concept  
----------------  
  
As an editor, log into the management interface and add a new mimetype.  
For the name, use a script, e.g.  
  
<script>alert('XSS')</script>  
  
Everytime a user looks at the mimetypes, the code will be executed.  
  
  
Workaround  
==========  
  
A possible workaround would be to use a filtering application set up in  
front of the real webserver, mitigating the risk of being exploited.  
  
  
Fix  
===  
  
The vulnerability is fixed in release 5.6.2964.  
  
  
Security Risk  
=============  
  
The risk is high, as these XSS can be used e.g. to steal session cookies  
of logged-in users.  
  
  
History  
=======  
  
2007-05-23 Problem found during a penetration test  
2007-05-30 Vendor notified by customer  
2007-06-01 Vendor called back and confirmed the vulnerability  
2007-06-18 CVE number assigned  
2007-07-11 Vendor released fixed version  
2007-07-13 Advisory released  
  
The vendor was very cooperative. There was always a competent contact  
person available who answered any questions.  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`