hpsnh-xss.txt

2008-08-27T00:00:00
ID PACKETSTORM:69428
Type packetstorm
Reporter Luca Carettoni
Modified 2008-08-27T00:00:00

Description

                                        
                                            `=====================================================================================  
Hopeless comments regarding the pointless   
"HP System Management Homepage (SMH) Unspecified XSS"  
  
August 25, 2008  
  
=====================================================================================  
[Overview]  
  
Since HP does not provide technical details in its security bulletins, it is really  
difficult to track vulnerabilities and patches.  
  
In the last few years several Cross Site Scripting vulnerabilities were reported   
against the HP System Management Homepage (SMH), however no technical details were  
provided and it is still difficult to understand the real entity of this issue.  
Whenever you search for information regarding this weakness in the public vulnerability   
databases, you can just read tons of incomplete or overlapped descriptions.  
  
In order to understand the essence of the problem, have a look at:  
http://www.securityfocus.com/bid/25953  
Although it is ages away from being useful, it gives a compact overview of the flaw.   
  
This is the most useless indeed:  
http://www.securityfocus.com/bid/24256  
  
This document discusses three attack vectors found on the HP System Management   
Homepage(SMH).  
  
=====================================================================================  
[Impact]  
  
Cross Site scripting (XSS)  
  
Since it is a web management console, the Cross Site Scripting vulnerability has a  
medium/high impact whenever it can be exploited.  
  
=====================================================================================  
[Technical Details]   
  
HP System Management Homepage (SMH) is prone to a XSS vulnerability because it   
fails to check the input parameter used to show a generic error message.  
  
The vulnerability affects the "message.php" script. In detail, this page uses the   
JavaScript property "location.search" in order to create a contextual error message.  
If the error ID provided in the URL does not match any valid code, a generic error   
is reported ("An unknown error (%INVALID_CODE%) occurred") instead.   
  
In the first versions of the HP System Management Homepage (probably <= 2.1.1) there  
is a client-side only input validation:  
  
<--- cut here --->  
// handle possible active content in the pieces of the query string  
for(i=0; i<splitquery.length; i++)  
{  
splitquery[i] = unescape(splitquery[i]);  
splitquery[i] = splitquery[i].replace("\<script\>", "");  
splitquery[i] = splitquery[i].replace("\<\/script\>", "");  
}  
<--- cut here --->  
  
As you can see, the validation is obviously prone to fail.  
Since it is not performed a global matching but just the first occurrence is replaced,   
it is trivial to bypass this control and successfully exploit the flaw.  
Moreover we have to remember that multiple attack vectors without the HTML "SCRIPT" tag  
exist in this situation.  
  
In the second generation (for sure, after the version 2.1.4), finally a server side  
validation was introduced. Unfortunately a simple NULL byte (%00) is enough  
to bypass this checkpoint and provides the "location.search" as in the previous  
vulnerable versions.  
The version 2.1.11 is patched against this vulnerability.  
  
The server side validation introduced in the second generation appears to be a black-list  
based filter. All HTML tags tested were blocked by the filter. However the '<BGSOUND>' tag  
has not been included in the black-list and it bypasses the server-side validation.  
As reported by Rsnake in his XSS Cheat Sheet,'<BGSOUND>' tag is a valid attack vector in   
certain versions of Opera.  
  
The latest version (2.1.12) has not yet been tested for this vector. Since only Opera  
users are likely to be affected, the associated risk is relatively low.  
  
=====================================================================================  
[Vulnerable Versions]   
  
According to our analysis, this is probably the most comprehensive list:   
  
HP System Management Homepage 2.1.9  
HP System Management Homepage 2.1.8  
HP System Management Homepage 2.1.7 (TESTED for 2nd, 3rd vector)  
HP System Management Homepage 2.1.6  
HP System Management Homepage 2.1.5 (TESTED for 2nd, 3rd vector)  
HP System Management Homepage 2.1.4  
HP System Management Homepage 2.1.3  
HP System Management Homepage 2.1.2  
HP System Management Homepage 2.1.1  
HP System Management Homepage 2.1  
HP System Management Homepage 2.0.2 (TESTED for 1st vector)  
HP System Management Homepage 2.0.1 (TESTED for 1st vector)  
HP System Management Homepage 2.0  
HP HP-UX B.11.31  
HP HP-UX B.11.23  
HP HP-UX B.11.11  
  
HP System Management Homepage 2.1.11   
HP System Management Homepage 2.1.12 are NOT vulnerable using the 1st and 2nd vector.  
  
=====================================================================================  
[Exploit]  
  
1st vector)  
https://<IP>:2381/message.php?<script><script>alert('xss')</script></script>  
  
2nd vector)  
https://<IP>:2381/message.php?aa%00<script><script>alert('xss')</script></script>  
  
3rd vector)  
https://<IP>:2381/message.php?aa<BGSOUND SRC="javascript:alert('XSS');">  
  
=====================================================================================  
[Credits]   
  
Luca Carettoni (luca.carettoni[at]ikkisoft[dot]com) - http://www.ikkisoft.com/  
Claudio Criscione (claudio[at]criscio[dot]net) - http://www.oversighting.com/  
Lavakumar Kuppan (lavakumark[at]gmail[dot]com) - http://www.lavakumar.com/  
  
=====================================================================================  
`