Lucene search
K

Novell Teaming Enumeration / XSS

🗓️ 15 Apr 2009 00:00:00Reported by Michael KirchnerType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 35 Views

Novell Teaming Multiple Vulnerabilities - Username Enumeration, XS

Code
`SEC Consult Security Advisory < 20090415-0 >  
==========================================================================  
title: Novell Teaming Multiple Vulnerabilities  
* Username Enumeration  
* Multiple Cross Site Scripting  
* Includes vulnerable Liferay portal  
program: Novell Teaming  
vulnerable version: 1.0.3  
homepage: http://www.novell.com/products/teaming/  
found: February 2009  
by: Michael Kirchner, SEC Consult Vulnerability Lab  
link:  
https://www.sec-consult.com/files/20090415-0-novell-teaming.txt  
==========================================================================  
  
Vendor description:  
-------------------  
  
Web conferencing software from Novell. Teaming and conferencing offers a  
number of solutions to improve productivity for enterprises, with web  
conferencing just one of those solutions.  
  
[source: http://www.novell.com/products/teaming/]  
  
  
Vulnerability overview:  
-----------------------  
  
Multiple vulnerabilities have been identified in Novell Teaming. These  
include enumeration of usernames, information disclosure, and cross site  
scripting flaws. An attacker could leverage these vulnerabilities to  
collect information about the system and its users and conduct effective  
(XSS supported) hybrid phishing attacks.  
  
  
Vulnerability description:  
-------------------------  
  
1. Username enumeration:  
  
User authentication takes place via a login form at:  
  
https://teaming.example.com/c/portal/login  
  
The web application reacts differently for valid and invalid usernames  
("Please enter a valid login" / "Auhtentication failed"). This allows an  
attacker to deduce wether a spedific username exists. The attacker could  
use this flaw to generate a list of usernames for dictionary- or  
bruteforce-attacks.  
  
2. Cross site scripting:  
  
The parameters p_p_state and p_p_mode are not validated or escaped by  
the web application. Script code can be injected into these parameters,  
allowing for cross site scripting attacks. Example:  
  
https://teaming.example.com/web/guest/home?p_p_id=82&p_p_action=1&p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3E&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_82_struts_action=%2Flanguage%2Fview&_82_languageId=de_DE  
  
3. Vulnerable Liferay portal:  
  
Novell Teaming includes a version of Liferay portal with known  
vulnerabilities (two cross site scripting flaws):  
  
* Liferay Portal "login" Cross-Site Scripting Vulnerability  
http://secunia.com/advisories/27537/  
* Liferay Portal "emailAddress" Cross-Site Scripting  
http://secunia.com/advisories/27821/  
  
-  
  
Proof of concept:  
-----------------  
  
No special exploit code is required to exploit this vulnerabilities.  
  
  
Vulnerable versions:  
--------------------  
  
Version 1.0.3 of Novell Teaming is vulnerable to the issues described.  
Prior versions are most likely also vulnerable.  
  
  
Vendor contact timeline:  
------------------------  
  
2009-02-19: Vendor informed about vulnerabilities  
2009-04-14: Patches available  
  
  
Patch:  
------  
  
The vendor has provided fixes for the issues described. In addition, two  
Technical Information Documents containing update instructions have been  
released. These can be found at the following URLs:  
  
* TID 7002997  
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002997&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737  
  
* TID 7002999  
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002999&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737  
  
--  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
EOF SEC Consult Vulnerability Lab / @2009  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Apr 2009 00:00Current
7.4High risk
Vulners AI Score7.4
35