exploit the possibilities

netegrityXSS.txt

netegrityXSS.txt
Posted Jul 1, 2004
Authored by HexView

A cross site scripting vulnerability exists in Netegrity IdentityMinder Web Edition 5.6 SP2 for Windows and Netegrity Policy Server version 5.5.

tags | advisory, web, xss
systems | windows
MD5 | 2b214c050da725dba066adffb8ca0d4f

netegrityXSS.txt

Change Mirror Download
Cross-Site Scripting (XSS) Vulnerability in Netegrity IdentityMinder

Classification:
===============
Level: low-[MED]-high-crit
ID: HEXVIEW*2004*07*02*1

Overview:
=========
IdentityMinder is an identity and role management product developed by
Netegrity (http://www.netegrity.com), a microsoft gold-certified
identity and access management partner. Both primary and management web
interfaces are vulnerable to classic cross-site scripting (XSS) attacks.

Affected products:
==================
All tests were performed using Netegrity IdentityMinder Web Edition 5.6 SP2
for Windows, IIS Server, and Netegrity Policy Server V5.5. Possibly all other
IdentityMinder releases are vulnerable.

Cause and Effect:
=================
Although IdentityMinder product employs URL filtering capabilities that
disallow using common XSS characters in the URL, it is possible to
submit the URL string containing any character using zero-byte string
poisoning method. The part of the URL after %00 character is not checked
against XSS characters. Management interface is also vulnerable to XSS
and does not even require zero-byte poisoning.
The vulnerability makes possible to execute scripts in the context of webpage
with current IdentityMinder user privileges. It can be used to steal page data,
and/or to perform ItentityMinder tasks with the privileges of logged-in user.

Demonstration:
==============
The problem can be reproduced by entering following the link below (split over
several lines for readability). The example link is form action link from
ViewGroup search dialog. Please note that you need to replace PUT_*_HERE's
with your actual variables.

http://PUT_ADDRESS_HERE/idm/PUT_SITE_NAME_HERE/ims_mainconsole_principalpopuphandler.do?
searchAttrs0=%25GROUP_NAME%25&searchOperators0=EQUALS&searchFilter0=
&searchOrgDN=PUT_DN_HERE&incChildrenOrgFlag=NO&resultsPerPage=10&oid=
&imsui_taskstate=RESOLVE_SCOPE&imsui_tpnametosearch=group
&numOfExpressions=1%00<script>alert(document.cookie)</script>

Here is another link demonstrating the problem in IdentityMinder management
interface. Note that %00 poisoning is not required.

http://PUT_ADDRESS_HERE:7001/idmmanage/mobjattr.do?diroid=PUT_OID_HERE
&attrname=Group%20Members&mobjtype=2<script>alert(document.cookie)</script>

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vuln@hexview.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    18 Files
  • 3
    Apr 3rd
    0 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close