SEC Consult SA-20090415-0 :: Multiple Vulnerabilities in Novell Teaming

2009-04-17T00:00:00
ID SECURITYVULNS:DOC:21683
Type securityvulns
Reporter Securityvulns
Modified 2009-04-17T00:00:00

Description

SEC Consult Security Advisory < 20090415-0 >

          title: Novell Teaming Multiple Vulnerabilities
                 * Username Enumeration
                 * Multiple Cross Site Scripting
                 * Includes vulnerable Liferay portal
        program: Novell Teaming

vulnerable version: 1.0.3 homepage: http://www.novell.com/products/teaming/ found: February 2009 by: Michael Kirchner, SEC Consult Vulnerability Lab link: https://www.sec-consult.com/files/20090415-0-novell-teaming.txt ==========================================================================

Vendor description:

Web conferencing software from Novell. Teaming and conferencing offers a number of solutions to improve productivity for enterprises, with web conferencing just one of those solutions.

[source: http://www.novell.com/products/teaming/]

Vulnerability overview:

Multiple vulnerabilities have been identified in Novell Teaming. These include enumeration of usernames, information disclosure, and cross site scripting flaws. An attacker could leverage these vulnerabilities to collect information about the system and its users and conduct effective (XSS supported) hybrid phishing attacks.

Vulnerability description:

  1. Username enumeration:

User authentication takes place via a login form at:

https://teaming.example.com/c/portal/login

The web application reacts differently for valid and invalid usernames ("Please enter a valid login" / "Auhtentication failed"). This allows an attacker to deduce wether a spedific username exists. The attacker could use this flaw to generate a list of usernames for dictionary- or bruteforce-attacks.

  1. Cross site scripting:

The parameters p_p_state and p_p_mode are not validated or escaped by the web application. Script code can be injected into these parameters, allowing for cross site scripting attacks. Example:

https://teaming.example.com/web/guest/home?p_p_id=82&p_p_action=1&p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3E&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_82_struts_action=%2Flanguage%2Fview&_82_languageId=de_DE

  1. Vulnerable Liferay portal:

Novell Teaming includes a version of Liferay portal with known vulnerabilities (two cross site scripting flaws):

  • Liferay Portal "login" Cross-Site Scripting Vulnerability http://secunia.com/advisories/27537/
  • Liferay Portal "emailAddress" Cross-Site Scripting http://secunia.com/advisories/27821/

-

Proof of concept:

No special exploit code is required to exploit this vulnerabilities.

Vulnerable versions:

Version 1.0.3 of Novell Teaming is vulnerable to the issues described. Prior versions are most likely also vulnerable.

Vendor contact timeline:

2009-02-19: Vendor informed about vulnerabilities 2009-04-14: Patches available

Patch:

The vendor has provided fixes for the issues described. In addition, two Technical Information Documents containing update instructions have been released. These can be found at the following URLs:

  • TID 7002997 http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002997&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

  • TID 7002999 http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002999&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH

Office Vienna Mooslackengasse 17 A-1190 Vienna Austria

Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009