what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OmniTouch Instant Communication Suite XSRF / XSS

OmniTouch Instant Communication Suite XSRF / XSS
Posted Oct 25, 2011
Authored by Tobias Glemser

OmniTouch Instant Communication Suite suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 07892a2e4751df91fbe28681577a37dca30715e6cc870860ee5c81e2769086a2

OmniTouch Instant Communication Suite XSRF / XSS

Change Mirror Download
TC-SA-2011-01: Multiple vulnerabilities in OmniTouch Instant Communication
Suite

Published: 2011/10/24
Advisory-Version: 1.0

References:
- Alcatel Lucent Vulnerability Statement 2011003 Multiple vulnerabilities
in OmniTouch Instant Communication Suite
- CVE-2011-4058 - multiple XSS vulnerabilities in Alcatel-Lucent
OmniTouch 8400 Instant Communication Suite
- CVE-2011-4059 - multiple CSRF vulnerabilities in Alcatel-Lucent
OmniTouch 8400 Instant Communication Suite
- Cert-IST reference number: Cert-IST/AV-2011.583
- URL of this advisory (used for updates):
http://www.tele-consulting.com/advisories/TC-SA-2011-01.txt

Affected products:
Alcatel Lucent OmniTouch 8400 Instant Communications
Suite (ICS) Version 6.1 Patch 102a
(older releases have not been tested)

Summary:
Alcatel Lucent's ICS offers Unified Communication services
over several access ways, like handhelds and web-clients.
The web-client WebICS offers end users services like access
to personal and global address books, initiate calls, call
redirects etc.
Several common flaws could be found in WebICS like reflected
and stored XSS as well as CSRF. In Webadmin reflected XSS
could be found.

Possible Effects:
One could use a stored XSS in the phonebook and change the
end users phone configuration like DND or call redirect.

Vulnerable Scripts WebICS:
CSRF
- /websoftphone/servlet/DispPhoneSet
- /websoftphone/servlet/DispRTC
- /websoftphone/servlet/DispPhoneSet

stored XSS:
- all Input-Fields of the phonebook

reflected XSS:

- /websoftphone/jsp/CBCallBackCont.jsp, parameter list
- /websoftphone/jsp/PhoneBookCont.jsp, parameter udatab
- /websoftphone/jsp/CustoData.jsp, parameter openwin
- /websoftphone/jsp/RTCNavigator.jsp, parameter sessionid
- /websoftphone/servlet/DispLogon, parameter next
- /websoftphone/servlet/DispLogon, parameter main


Vulnerable Scripts WebAdmin:
reflected XSS:
- /ClientMgmt/ClientMgmt, parameter action

Examples CSRF:
- Lock a phone
https://webics.yourdomain.local/websoftphone/servlet/ \
DispPhoneSet?method=setLock

- Dial
https://webics.yourdomain.local/websoftphone/servlet/ \
DispRTC?method=makeCall&number=XXXX

- Set DND
https://webics.yourdomain.local/websoftphone/servlet/ \
DispPhoneSet?method=setDoNotDisturb

- Set call forward
https://webics.yourdomain.local/websoftphone/servlet/ \
DispPhoneSet?method=setForward&type=immediate& \
FwdTarget=onSomeone&number=xxxx

https://webics.yourdomain.local/websoftphone/jsp/ \
CBCallBackCont.jsp?list=%22%3E%3CFRAME%20SRC=%22 \
http://www.boeserangreifer.de%22%3E%3C&rand=0

Possible solutions:
- install the vendor supplied hotfix

Disclosure Timeline:
2011/02/17 vendor contacted via psirt.security@alcatel-lucent.com
2011/02/18 initial vendor response
2011/06/27 vendor sent an internal advisory to business partners for
some reflected XSS issues
2011/07/20 vendor sent an updated internal advisory to business
partners included a hotfix for some reflected XSS issues
2011/09/06 vendor sent an updated internal advisory to business
partners
2011/09/26 vendor sent an updated internal advisory to business
partners addressing all issues
2011/10/24 coordinated public disclosure

Credits:
Tobias Glemser (tglemser@tele-consulting.com)
Tele-Consulting security networking training GmbH, Germany
www.tele-consulting.com

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore Tele-Consulting shall
not be liable for any direct or indirect damages that might be
caused by using this information.


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close