Vulnerability Research LaboratoryVULNERLAB:95
Document Title:
===============
PGP Website - Multiple Cross Site Scripting Vulnerabilities
Release Date:
=============
2011-07-16
Vulnerability Laboratory ID (VL-ID):
====================================
95
Product & Service Introduction:
===============================
PGP Corporation is a global leader in email and data encryption software for Enterprise Data Protection.
Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest
set of integrated applications for enterprise data security. PGP® platform-enabled applications allow
organizations to meet current needs and expand as security requirements change for email, laptops, desktops,
instant messaging, smartphones, network storage, file transfers, automated processes, and backups. PGP®
encryption solutions have earned a reputation for innovative, standards-based, trusted solutions currently
used by more than 110,000 enterprises, businesses, and governments worldwide, including 96 percent of the
Fortune® 100, 74 percent of Fortune® Global 100, 80 percent of the German DAX Index and 71 percent of the
United Kingdom FTSE 100 Index. Customers depend on PGP solutions as part of a regulatory and audit compliance
solution, to protect confidential information, secure customer data, and safeguard companies brands and reputations ...
(Copy of the Vendor Homepage: http://pgp.com/)
Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple Cross Site Scripting Vulnerabilities on the PGP.Com website.
Vulnerability Disclosure Timeline:
==================================
2011-07-15: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Low
Technical Details & Description:
================================
Multiple client-side cross site scripting vulnerabilities are detected on the PGP main website.
The type of vulnerability allows an attacker to phish accounts & hijack not expired customer sessions.
The vulnerability allows also to force client-side ssl certificate requests as a bypass.
Vulnerable Module(s):
[+] Search Engine Output
[+] adirect - ?cmd= param
[+] Exception-handling
Pictures:
../pgp.com.png
../pgp.com2.png
../pgp.com3.png
../pgp.com4.png
../pgp.com5.png
Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers on client-side. The scenario requires high user inter action.
For demonstration or reproduce ...
Path: https://eu.store.pgp.com/pgp/en/US/adirect/pgp
Param: ?cmd=
Reference:
https://eu.store.pgp.com/pgp/en/US/adirect/pgp?cmd=>"<INCLUDE OWN SCRIPtCODE HERE!!>&AddToCartProductID=200010
https://eu.store.pgp.com/pgp/en/US/adirect/pgp?cmd=>"<INCLUDE OWN SCRIPtCODE HERE!! scrolling=
"no" scrollbarvisable="no">&AddToCartProductID=200010
Path: http://www.pgp.com/search?q=
Param: ?q=
Reference:
http://www.pgp.com/search?q=>"<INCLUDE OWN SCRIPtCODE HERE!!>&restrict=newstore&site=
pgp&output=xml_no_dtd&client=pgp&lr=&proxystylesheet=pgp&oe=
Exception-handling exploitation also possible ...
<!----------------------- START STACK TRACE ------------------------------
com.comergent.api.exception.ICCException: [CMGT_E_INVALID_REQUEST]: ">"<<EXECUTES THE SCRIPTCODE HERE!!! scrolling="no" scrollbarvisable="no"> is not a valid request"
at com.comergent.api.messageType.MessageTypeObjectFactory.makeException(MessageTypeObjectFactory.java:436)
at com.comergent.api.messageType.MessageTypeObjectFactory.getMessageType(MessageTypeObjectFactory.java:198)
at com.comergent.dcm.core.AppExecutionEnv.getMTInstance(AppExecutionEnv.java:200)
at com.comergent.dcm.core.DispatchServlet.createController(DispatchServlet.java:252)
at com.comergent.dcm.core.DispatchServlet.doExecute(DispatchServlet.java:428)
at com.comergent.pgp.dcm.core.PGPDispatchServlet.execute(PGPDispatchServlet.java:59)
at com.comergent.dcm.core.DispatchServlet.dispatch(DispatchServlet.java:189)
at com.comergent.dcm.core.DispatchServlet.doGet(DispatchServlet.java:145)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
at com.comergent.dcm.core.filters.CredentialPropagationFilter.executeFilter(CredentialPropagationFilter.java:57)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
at com.comergent.dcm.core.filters.AAFilter.executeFilter(AAFilter.java:54)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
at com.comergent.dcm.core.WrappingFilter.executeFilter(WrappingFilter.java:113)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
at com.comergent.dcm.core.filters.StatsFilter.executeFilter(StatsFilter.java:38)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
at com.comergent.dcm.core.filters.RequestControlFilter.executeFilter(RequestControlFilter.java:102)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
at com.comergent.dcm.core.filters.TimingFilter.executeFilter(TimingFilter.java:46)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
at com.comergent.dcm.core.filters.EntryFilter.executeFilter(EntryFilter.java:51)
at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:619)
Solution - Fix & Patch:
=======================
January 2011 - Quartal 1
Security Risk:
==============
The security risk of the vulnerabilities are estimated as low because of the client-side attack vector.
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2012 | Vulnerability Laboratory