exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Novell Teaming Enumeration / XSS

Novell Teaming Enumeration / XSS
Posted Apr 15, 2009
Authored by Michael Kirchner | Site sec-consult.com

SEC Consult Security Advisory 20090415-0 - Multiple vulnerabilities have been identified in Novell Teaming. These include enumeration of usernames, information disclosure, and cross site scripting flaws. Version 1.0.3 is vulnerable.

tags | exploit, vulnerability, xss, info disclosure
SHA-256 | e32f1a48232fe353e2a85526ef291e78bafffd7789d861410bca9cc87b1b1dc3

Novell Teaming Enumeration / XSS

Change Mirror Download
SEC Consult Security Advisory < 20090415-0 >
==========================================================================
title: Novell Teaming Multiple Vulnerabilities
* Username Enumeration
* Multiple Cross Site Scripting
* Includes vulnerable Liferay portal
program: Novell Teaming
vulnerable version: 1.0.3
homepage: http://www.novell.com/products/teaming/
found: February 2009
by: Michael Kirchner, SEC Consult Vulnerability Lab
link:
https://www.sec-consult.com/files/20090415-0-novell-teaming.txt
==========================================================================

Vendor description:
-------------------

Web conferencing software from Novell. Teaming and conferencing offers a
number of solutions to improve productivity for enterprises, with web
conferencing just one of those solutions.

[source: http://www.novell.com/products/teaming/]


Vulnerability overview:
-----------------------

Multiple vulnerabilities have been identified in Novell Teaming. These
include enumeration of usernames, information disclosure, and cross site
scripting flaws. An attacker could leverage these vulnerabilities to
collect information about the system and its users and conduct effective
(XSS supported) hybrid phishing attacks.


Vulnerability description:
-------------------------

1. Username enumeration:

User authentication takes place via a login form at:

https://teaming.example.com/c/portal/login

The web application reacts differently for valid and invalid usernames
("Please enter a valid login" / "Auhtentication failed"). This allows an
attacker to deduce wether a spedific username exists. The attacker could
use this flaw to generate a list of usernames for dictionary- or
bruteforce-attacks.

2. Cross site scripting:

The parameters p_p_state and p_p_mode are not validated or escaped by
the web application. Script code can be injected into these parameters,
allowing for cross site scripting attacks. Example:

https://teaming.example.com/web/guest/home?p_p_id=82&p_p_action=1&p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3E&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_82_struts_action=%2Flanguage%2Fview&_82_languageId=de_DE

3. Vulnerable Liferay portal:

Novell Teaming includes a version of Liferay portal with known
vulnerabilities (two cross site scripting flaws):

* Liferay Portal "login" Cross-Site Scripting Vulnerability
http://secunia.com/advisories/27537/
* Liferay Portal "emailAddress" Cross-Site Scripting
http://secunia.com/advisories/27821/

-

Proof of concept:
-----------------

No special exploit code is required to exploit this vulnerabilities.


Vulnerable versions:
--------------------

Version 1.0.3 of Novell Teaming is vulnerable to the issues described.
Prior versions are most likely also vulnerable.


Vendor contact timeline:
------------------------

2009-02-19: Vendor informed about vulnerabilities
2009-04-14: Patches available


Patch:
------

The vendor has provided fixes for the issues described. In addition, two
Technical Information Documents containing update instructions have been
released. These can be found at the following URLs:

* TID 7002997
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002997&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

* TID 7002999
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002999&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    32 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close