PTT SECURITY ADVISORY
DATE: 08-02-2005
AUTHOR: THOMAS LIAM ROMANIS
CURRENT EMPLOYER: Echelon Ltd
VENDOR: Sun
PRODUCT: Sun AnswerBook2
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].

Summary.

A number of issues have been identified in Sun Answerbook2. The first is AN xss issue in the Sun Answerbook2 Search function and the other is an attack vector issue in the administrative function for viewing Access and Error log files.

Detail.

1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
This issue could be used for misinformation purposes but probably little else. As a result the impact of this issue is likely to be low. 

http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+

It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. In this case, depending on the function of the server, a more serious exposure could result. 

2. Administration Attack Vector issue.[CAN-2005-0549]
When the Answerbook2 administrator opts to view the Access log file ( /var/log/ab2/logs/access-8888.log) or Error log file ( /var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain text. As a result a number of different methods could be used to launch attacks against the Answerbook2 administrator. For example, If an XSS attempt has been made on another part of the application, even if it was not immediately successful, it will execute during the display of the Access or Error log files. Thus attacks could be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who may have escalated privileges on the host operating system.

http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access

Remedial Action.

The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release Notes list the feature 

removal here: 

http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view

Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other currently supported 

releases of Solaris and they are impacted by this issue. Sun isn't planning on producing further patches for 

the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends disabling AnswerBook2 and 

using other sources of documentation, namely the Solaris Documentation CD and online formats at 

http://docs.sun.com.

The Alert Released by Sun can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1