Home page logo
/

bugtraq logo Bugtraq mailing list archives

CSS on Microsoft Content Management Server
From: <overclocking_a_la_abuela () hotmail com>
Date: 7 Oct 2002 23:45:41 -0000



Hi,

while doing a pen-test I found what seems a Cross Site Scriptting on 
Microsoft  Content Management Server. 
On M$ words:

"Microsoft® Content Management Server 2001 (MSCMS) is an enterprise Web 
content management system that enables companies to build, deploy, and 
maintain Internet, intranet, and extranet Web environments. One essential 
component of the Web development process is the planning and 
implementation of a security policy for the site.(...)"

Within Microsoft Content Management Server, the AESecurity Service 
authenticates users. In this forms-based authentication system, users 
trying to access a secure Web page are redirected to a login form (an 
Active Server Pages [ASP] script called ManualLogin.asp) where they must 
enter a user name and password. After the user enters credentials, the ASP 
script does an HTML post of the login credentials to an ASP script called 
ManualLoginSubmit.asp, which communicates the data to the server. 

If user authentication succeeds, MSCMS saves a session cookie with an 
encrypted token in the Web browser. The token is comprised of the user 
identity, the time of login, and the login IP address; it is encrypted in 
the cookie with the Server Security Key. Each time the user requests a new 
page, MSCMS validates the token and grants or denies access accordingly. 
When the user logs off, the token is removed from the Web browser, and 
when the browser is closed, the session cookie is destroyed

OK. The ManualLogin.asp has a parameter "REASONTXT" that shows the usual 
warning text:"You are using an insecure connection...".
But we can inject code here like this: ManualLogin.asp?
REASONTXT=<YOUR_SCRIPT>.

An example coud be:

http://vulnerable_site/NR/System/Access/ManualLogin.asp?
REASONTXT=&lt;script&gt;alert(document.cookie);window.open
("http://www.infohacking.com";);&lt;/SCRIPT&gt;

This demo-script has been intentionally contructed in this way (we don`t 
want people sending their cookies to our site...)

So, if we can force a user to open an URL like this (HTML mail for 
example), we could trick him to send his cookie.If the user has just log 
on to the vulnerable server, we will probably be able to steal his cookie 
and hijack his session...

Sorry for my bad english.

Hugo Vazquez Carames & Toni Cortes Martinez
www.infohacking.com

Thanks to our company (www.winmat.com) to let us lose time on 
investigating this "feature".







  By Date           By Thread  

Current thread:
  • CSS on Microsoft Content Management Server overclocking_a_la_abuela (Oct 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault