Advisory: Endeca Latitude Cross-Site Scripting

RedTeam Pentesting discovered a Cross-Site Scripting (XSS)
vulnerability in Endeca Latitude. By exploiting this vulnerability an
attacker is able to execute arbitrary JavaScript code in the context
of other Endeca Latitude users.


Details
=======

Product: Endeca Latitude
Affected Versions: 2.2.2, potentially others
Fixed Versions: N/A
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: N/A
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003
Advisory Status: published
CVE:  CVE-2014-2400
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400


Introduction
============

Endeca Latitude is an enterprise data discovery platform for advanced,
yet intuitive, exploration and analysis of complex and varied data.
Information is loaded from disparate source systems and stored in a
faceted data model that dynamically supports changing data. This
integrated and enriched data is made available for search, discovery,
and analysis via interactive and configurable applications.

(from the vendor's homepage)


More Details
============

Endeca Latitude offers administrators to trigger different functions by
using the following two URLs (see [1]):

 * http://example.com/config?op=<supported-operation>
 * http://example.com/admin?op=<supported-operation>

When accessing such an URL which uses an invalid value for the HTTP GET
parameter "op", such as
http://example.com/config?op=RedTeam%20Pentesting, an error message is
shown by the webapplication and the invalid value is directly embedded
into the document without prior escaping, which leads to a Cross-Site
Scripting vulnerability.


Proof of Concept
================

As shown by the following URL, an attacker is able to embed arbitrary
JavaScript code into the context of the Endeca Latitude instance:

http://example.com/config?op=<script>alert('RedTeam Pentesting');</script>


Workaround
==========

The vendor did not update the vulnerable software, but recommends to
configure all installations to require mutual authentication using TLS
certificates for both servers and clients, while discouraging users from
installing said client certificates in browsers.


Fix
===

Not available. The vendor did not update the vulnerable software to
remedy this issue.


Security Risk
=============

The vulnerability can be used to embed arbitrary JavaScript code and
therefore offers a wide range of possible attacks such as stealing
cookies or displaying a fake login form. Furthermore, an attacker can use
this vulnerability to control the Endeca Latitude instance by using the
API implemented by its web service (see [2]). The risk of this
vulnerability is therefore considered to be high.


Timeline
========

2013-10-06 Vulnerability identified
2013-10-08 Customer approved disclosure to vendor
2013-10-15 Vendor notified
2013-10-17 Vendor responded that investigation/fixing is in progress
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
           CPU
2014-03-13 Vendor responded with additional information about a
           potential workaround
2014-04-15 Vendor releases Critical Patch Update Advisory with little
           information on the proposed fix
2014-04-16 More information requested from vendor
2014-05-02 Vendor responds with updated information
2014-06-25 Advisory released



References
==========

[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html
[2] http://docs.oracle.com/cd/E29220_01/index.htm


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen