exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

scip-sitescape.txt

scip-sitescape.txt
Posted Jul 13, 2007
Authored by Marc Ruef | Site scip.ch

SiteScape Forum versions prior to 7.3 suffer from an input validation flaw that allows for arbitrary javascript insertion.

tags | exploit, arbitrary, javascript
SHA-256 | 093f753a1723a404dac3f95d19723da79cf687420ced67ae4808de6b3d6f4f12

scip-sitescape.txt

Change Mirror Download
SiteScape forum prior 7.3 Cross Site Scripting

scip AG Vulnerability ID 3159 (07/13/2007)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3159

I. INTRODUCTION

SiteScape forum is a commercial web forum. It uses presence to connect
teams through phone, IM, chat, SMS and email, as well as voice- and
web-conferencing. The application also supports online threaded
discussions and creation of content through blogs, wikis and
workflow-driven document and task management.

More information is available at the official web site at the following URL:

http://www.sitescape.com/

II. DESCRIPTION

Marc Ruef at scip AG found an input validation error within SiteScape
Forum prior release 7.3.

Some scripts that are not protected by any authentication procedure can
be used to run arbitrary script code within a cross site scripting attack.

Other parts of the application might be affected too.

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.

The simple approach to verify an insecure installation is within the
login procedure. Use the following string as user name and a wrong
passwort for the simple proof-of-concept[1]:

<script>alert('scip');</script>

A plugin for our open-source exploiting framework "Attack Tool Kit"
(ATK) will be published in the near future. [2]

IV. IMPACT

Because non-authenticated parts of the software are affected, these
vulnerabilities are serious for every secure environment.
Non-authenticated users might be able to exploit this flaw to gain
elevated privileges (e.g. extracting sensitive cookie information or
launch a buffer overflow attack against another web browser).

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement.

VI. SOLUTION

We have informed SiteScape on a very early stage. They told us that the
problem was not announced within a public advisory. But it is already
solved within the latest release of the discussed software. Therefore,
an upgrade to SiteScape Forum 7.3 or newer will solve the issues.

VII. VENDOR RESPONSE

SiteScape has been informed a first time at 06/29/2007 via email at
info-at-sitescape.com. A very kind reply by Chris Pressley came back
some minutes later. Further discussion of the flaw (how to reproduce)
and the co-ordination of a public advisory was made.

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3159

computec.ch document data base (german)
http://www.computec.ch/download.php

Die Kunst des Penetration Testing (german)
http://www.amazon.de/dp/3936546495/

IX. DISCLOSURE TIMELINE

06/27/07 Identification of the vulnerabilities
06/29/07 First response to info-at-sitescape.com
06/29/07 Immediate reply by Chris Pressley
07/09/07 Co-ordination of the advisory release
07/13/07 Public advisory

IX. CREDITS

The vulnerabilities were discovered by Marc Ruef.

Marc Ruef, scip AG, Zuerich, Switzerland
maru-at-scip.ch
http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] http://www.amazon.de/dp/3936546495/
[2] http://www.computec.ch/projekte/atk/

A2. LEGAL NOTICES

Copyright (c) 2007 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close