exploit the possibilities

pro2col-xss.txt

pro2col-xss.txt
Posted Sep 12, 2008
Authored by Marc Ruef | Site scip.ch

Pro2col StingRay FTS suffers from a cross site scripting vulnerability via the login username functionality.

tags | exploit, xss
MD5 | 08c034f681ddb155997ab310477742e8

pro2col-xss.txt

Change Mirror Download
Pro2col StingRay FTS login username cross site scripting

scip AG Vulnerability ID 3809 (09/12/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809

I. INTRODUCTION

StingRay FTS is a file transfer server for Internet communications.
Customers are able to transfer files or to send emails via the device.

More information is available on the official product web site at the
following URL:

http://pro2col.com/solutions/products/stingray_fts

II. DESCRIPTION

Marc Ruef at scip AG found an input validation error within the current
release.

The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within
a cross site scripting attack. Other parts of the application might be
affected too.

--- cut ---

<form name="form_login" method="post" action="verify_login.jsp">
<input type="hidden" name="form_browser_os" value="2">
<input type="hidden" name="form_browser_type" value="2">
<table border="0" cellspacing="0" width="100%"
class="loginheadertable">
<tr>
<td valign="center" class="loginheadertable">StingRay Login</td>

</tr>
</table>
<img border="0" src="images/line.jpg" width="100%" height="10"></img>
<table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
<tr height="25" valign="middle">
<td width="15%">Benutzername</td>
<td width="35%"><input type="text" name="form_username"
size="30"></td>
<td width="50%">&nbsp;</td>

</tr>
<tr height="15" valign="middle">
<td>Passwort</td>
<td>
<input type="password" name="form_password" size="30">
</td>
<td>&nbsp;</td>
</tr>

</table>
<img border="0" src="images/line.jpg" width="100%" height="10">
<table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
<tr>
<td width="50%" align="right">
<input type="Image" src="images/bt_login_de.gif" name="login"
class="formbutton"
onClick="SetBrowserParam(this.form);">
</td>
<td>&nbsp;</td>
</tr>

</table>
</form>

--- cut ---

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.

The approach to verify an insecure installation is possible with a
simple form input. Use the following string as user name and a wrong
passwort for the proof-of-concept:

<script>alert('scip');</script>

The script injection happens in this line (between the H3 headers) in
the file /verify_login.jsp:

<H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der
Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3>

The detection of vulnerable hosts is possible via Google hacking too as
like Johnny Long has documented in his web database[1]. httprecon
supports web fingerprinting for such devices too[2]. A plugin for our
open-source exploiting framework Attack Tool Kit (ATK) will be published
in the future[3].

IV. IMPACT

Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges
(e.g. extracting sensitive cookie information or launch a buffer
overflow attack against another web browser). However, as Robert Welz
with Pro2col told my via email, the discussed login part should be
available on the internal interface only.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.

VI. SOLUTION

We have informed Pro2col on an early stage. They confirmed the problem
and announced a bugfix for a release scheduled in March 2008 initially.
A re-scheduling was proposed and no further details provided. Our last
request stood unanswered for a long time.

VII. VENDOR RESPONSE

Pro2col has been informed a first time at 2008/06/12 via email at
info-at-pro2col.com. A very kind reply by James Lewis came back a few
hours later. Further discussion of the flaw (how to reproduce) were held
with Robert Welz. A re-scheduling of the planned patch was proposed. Our
last request stood unanswered for a long time.

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809

computec.ch document data base (german)
http://www.computec.ch/download.php

IX. DISCLOSURE TIMELINE

2007/12/05 Identification of the vulnerability
2007/12/06 First information to info-at-pro2col.com
2007/12/07 Immediate reply by and further discussion with James Lewis
2008/01/11 Technical confirmation by Robert Welz
2008/03/18 Status report by Robert Welz
2008/07/08 Offering for re-check of the patch by Robert Welz
2008/07/09 Undefined re-scheduling of the patch
2008/08/29 Last request for actual status (no reply)
2008/09/12 Public advisory

X. CREDITS

The vulnerabilities were discovered by Marc Ruef.

Marc Ruef, scip AG, Zuerich, Switzerland
maru-at-scip.ch
http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] http://www.computec.ch/projekte/httprecon/
[2] http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1814
[3] http://www.computec.ch/projekte/atk/

A2. LEGAL NOTICES

Copyright (c) 2007-2008 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close