Hello list!

I want to warn you about vulnerabilities in Avaya IP Office Customer Call
Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site
Scripting) vulnerabilities.

After I found multiple vulnerabilities in Avaya IP Office Customer Call
Reporter in December, I informed ZDI about them (critical ones). ZDI was
very slow in processing these holes (regardless of my remindings) and only
at 30th of July they begun actively working with them. I wrote about this
case with ZDI in WASC Mailing List
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008883.html).

When Avaya ignored my informing in July and ZDI stopped working on this case
in August (since Avaya was not responding to them also), I published these
two vulnerabilities (the least critical). There are many other
vulnerabilities, including critical holes which allow to take control over
admin panel, so Avaya still has a chance to get details of vulnerabilities
in their product before public disclosure.

-------------------------
Affected products:
-------------------------

Vulnerable are Avaya IP Office Customer Call Reporter 8.0.9.13 (tested in
December 2012) and 9.0.0.0 (tested recently) and previous versions.

-------------------------
Affected vendors:
-------------------------

Avaya Inc.
http://www.avaya.com

----------
Details:
----------

Remote HTML Include (Frame Injection) (WASC-12):

http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua

Remote XSS Include (Cross-Site Scripting) (WASC-08):

http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua/webtools/xss_r2.html

------------
Timeline:
------------ 

2012.12.06 - found multiple vulnerabilities (these ones and other critical
holes).
2012.12.13 - informed ZDI about other critical vulnerabilities.
2012.12.18 - again informed ZDI about other critical vulnerabilities.
2013.01.27 - registered at zerodayinitiative.com and informed them through
the site. ZDI started working on the case.
2013.07.28 - informed Avaya (via two contact forms) about these holes and
other critical vulnerabilities, due to slowness of ZDI.
2013.07.29 - wrote about ZDI in WASC Mailing List.
2013.07.30 - if earlier ZDI only pretended they work on the case, then this
time they started working actively on it (and tried to contact Avaya).
2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was
not responding.
2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua