exploit the possibilities

pro2col-xss.txt

pro2col-xss.txt
Posted Sep 12, 2008
Authored by Marc Ruef | Site scip.ch

Pro2col StingRay FTS suffers from a cross site scripting vulnerability via the login username functionality.

tags | exploit, xss
SHA-256 | 24f6911ba28f77c3b0dd0a5756d49433a480655e4285e291ee815c73fe7b74da

pro2col-xss.txt

Change Mirror Download
Pro2col StingRay FTS login username cross site scripting

scip AG Vulnerability ID 3809 (09/12/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809

I. INTRODUCTION

StingRay FTS is a file transfer server for Internet communications.
Customers are able to transfer files or to send emails via the device.

More information is available on the official product web site at the
following URL:

http://pro2col.com/solutions/products/stingray_fts

II. DESCRIPTION

Marc Ruef at scip AG found an input validation error within the current
release.

The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within
a cross site scripting attack. Other parts of the application might be
affected too.

--- cut ---

<form name="form_login" method="post" action="verify_login.jsp">
<input type="hidden" name="form_browser_os" value="2">
<input type="hidden" name="form_browser_type" value="2">
<table border="0" cellspacing="0" width="100%"
class="loginheadertable">
<tr>
<td valign="center" class="loginheadertable">StingRay Login</td>

</tr>
</table>
<img border="0" src="images/line.jpg" width="100%" height="10"></img>
<table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
<tr height="25" valign="middle">
<td width="15%">Benutzername</td>
<td width="35%"><input type="text" name="form_username"
size="30"></td>
<td width="50%">&nbsp;</td>

</tr>
<tr height="15" valign="middle">
<td>Passwort</td>
<td>
<input type="password" name="form_password" size="30">
</td>
<td>&nbsp;</td>
</tr>

</table>
<img border="0" src="images/line.jpg" width="100%" height="10">
<table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
<tr>
<td width="50%" align="right">
<input type="Image" src="images/bt_login_de.gif" name="login"
class="formbutton"
onClick="SetBrowserParam(this.form);">
</td>
<td>&nbsp;</td>
</tr>

</table>
</form>

--- cut ---

III. EXPLOITATION

Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.

The approach to verify an insecure installation is possible with a
simple form input. Use the following string as user name and a wrong
passwort for the proof-of-concept:

<script>alert('scip');</script>

The script injection happens in this line (between the H3 headers) in
the file /verify_login.jsp:

<H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der
Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3>

The detection of vulnerable hosts is possible via Google hacking too as
like Johnny Long has documented in his web database[1]. httprecon
supports web fingerprinting for such devices too[2]. A plugin for our
open-source exploiting framework Attack Tool Kit (ATK) will be published
in the future[3].

IV. IMPACT

Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges
(e.g. extracting sensitive cookie information or launch a buffer
overflow attack against another web browser). However, as Robert Welz
with Pro2col told my via email, the discussed login part should be
available on the internal interface only.

Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.

V. DETECTION

Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag.
In some cases single (') or double quotes (") are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like <script> and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.

VI. SOLUTION

We have informed Pro2col on an early stage. They confirmed the problem
and announced a bugfix for a release scheduled in March 2008 initially.
A re-scheduling was proposed and no further details provided. Our last
request stood unanswered for a long time.

VII. VENDOR RESPONSE

Pro2col has been informed a first time at 2008/06/12 via email at
info-at-pro2col.com. A very kind reply by James Lewis came back a few
hours later. Further discussion of the flaw (how to reproduce) were held
with Robert Welz. A re-scheduling of the planned patch was proposed. Our
last request stood unanswered for a long time.

VIII. SOURCES

scip AG - Security Consulting Information Process (german)
http://www.scip.ch/

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809

computec.ch document data base (german)
http://www.computec.ch/download.php

IX. DISCLOSURE TIMELINE

2007/12/05 Identification of the vulnerability
2007/12/06 First information to info-at-pro2col.com
2007/12/07 Immediate reply by and further discussion with James Lewis
2008/01/11 Technical confirmation by Robert Welz
2008/03/18 Status report by Robert Welz
2008/07/08 Offering for re-check of the patch by Robert Welz
2008/07/09 Undefined re-scheduling of the patch
2008/08/29 Last request for actual status (no reply)
2008/09/12 Public advisory

X. CREDITS

The vulnerabilities were discovered by Marc Ruef.

Marc Ruef, scip AG, Zuerich, Switzerland
maru-at-scip.ch
http://www.scip.ch/

A1. BIBLIOGRAPHY

[1] http://www.computec.ch/projekte/httprecon/
[2] http://johnny.ihackstuff.com/ghdb.php?function=detail&id=1814
[3] http://www.computec.ch/projekte/atk/

A2. LEGAL NOTICES

Copyright (c) 2007-2008 scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close