Re: [Full-disclosure] ActiveWeb Contentserver CMS Multiple Cross Site Scriptings

2007-07-13T00:00:00
ID SECURITYVULNS:DOC:17489
Type securityvulns
Reporter Securityvulns
Modified 2007-07-13T00:00:00

Description

didn't find this in your list. Work for their online demo site not sure if it works in actual deployment -

http://demo.active-web.de:80/sam.login/login.asp?org=>"><script>alert('xss');</script>&a=Y2FtcGZpcmU%253D&b=219f5bea94f21dc3e9207a32cfb69802&c=1c69e949%252D0941%252D46a1%252Da7b5%252D5a26b08548b1&d=58b69c32%252Dae15%252D4467%252Da02a%252D6c032b0f73b3&e=NThiNjljMzItYWUxNS00NDY3LWEwMmEtNmMwMzJiMGY3M2IzLWNhbXBmaXJl

don't miss to append other parameters as well - &a=Y2FtcGZpcmU%253D&b=219f5bea94f21dc3e9207a32cfb69802&c=1c69e949%252D0941%252D46a1%252Da7b5%252D5a26b08548b1&d=58b69c32%252Dae15%252D4467%252Da02a%252D6c032b0f73b3&e=NThiNjljMzItYWUxNS00NDY3LWEwMmEtNmMwMzJiMGY3M2IzLWNhbXBmaXJl

-d

On 7/13/07, RedTeam Pentesting GmbH <release@redteam-pentesting.de> wrote: > Advisory: ActiveWeb Contentserver CMS Multiple Cross Site Scriptings > > RedTeam Pentesting discovered three Cross Site Scripting > vulnerabilities in the activeWeb contentserver CMS during a penetration > test. One of the Cross Site Scriptings is persistent. > > > Details > ======= > > Product: activeWeb contentserver > Affected Versions: <= 5.6.2929 > Fixed Versions: 5.6.2964 > Vulnerability Type: Cross Site Scripting > Security-Risk: high > Vendor-URL: http://www.active-web.de/aw/home/Produkte/~gf/contentserver/ > Vendor-Status: informed, fixed version released > Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-005.php > Advisory-Status: public > CVE: CVE-2007-3014 > CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3014 > > > Introduction > ============ > > contentserver is the comprehensive, scalable Content Management System > for professional requirements. It combines editorial system, website > management and development platform for web applications in one package. > > (translation of the description on the vendor's homepage) > > > XSS Error Page rights.asp > ========================= > > The variable "msg" of the ASP script "rights.asp" is not properly > filtered. > > Proof of Concept > ---------------- > > http://www.example.com/errors/rights.asp > ?awReadAccessRight=True > &msg=<script>alert('XSS')</script> > > > XSS Error Page transaction.asp > ============================== > > The variable "msg" of the ASP script "transaction.asp" is not properly > filtered. > > Proof of Concept > ---------------- > > http://www.example.com/errors/transaction.asp > ?msg=<script>alert('XSS')</script> > > > Persistent XSS Mimetypes > ======================== > > As editors, users can add new mimetypes to the the system. The name of > the new mimetype can contain arbitrary code. This allows for a > persistent Cross Site Scripting. > > Proof of Concept > ---------------- > > As an editor, log into the management interface and add a new mimetype. > For the name, use a script, e.g. > > <script>alert('XSS')</script> > > Everytime a user looks at the mimetypes, the code will be executed. > > > Workaround > ========== > > A possible workaround would be to use a filtering application set up in > front of the real webserver, mitigating the risk of being exploited. > > > Fix > === > > The vulnerability is fixed in release 5.6.2964. > > > Security Risk > ============= > > The risk is high, as these XSS can be used e.g. to steal session cookies > of logged-in users. > > > History > ======= > > 2007-05-23 Problem found during a penetration test > 2007-05-30 Vendor notified by customer > 2007-06-01 Vendor called back and confirmed the vulnerability > 2007-06-18 CVE number assigned > 2007-07-11 Vendor released fixed version > 2007-07-13 Advisory released > > The vendor was very cooperative. There was always a competent contact > person available who answered any questions. > > > RedTeam Pentesting GmbH > ======================= > > RedTeam Pentesting is offering individual penetration tests, short > pentests, performed by a team of specialised IT-security experts. > Hereby, security weaknesses in company networks or products are > uncovered and can be fixed immediately. > > As there are only few experts in this field, RedTeam Pentesting wants to > share its knowledge and enhance the public knowledge with research in > security related areas. The results are made available as public > security advisories. > > More information about RedTeam Pentesting can be found at > http://www.redteam-pentesting.de. > > -- > RedTeam Pentesting GmbH Tel.: +49 241 963-1300 > Dennewartstr. 25-27 Fax : +49 241 963-1304 > 52068 Aachen http://www.redteam-pentesting.de/ > Germany Registergericht: Aachen HRB 14004 > Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck > > ___________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/