OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
'ken'_at_FTU
Date: Tue Oct 08 2002 - 20:54:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Please note these vulnerabilities are *not* the ones mentioned by Matt
    Moore last week.

    I've been working with SurfControl for a few months now to resolve these
    issues in the Administrative Web interface for the SuperScout Email
    Filter. (Read: I discovered these vulnerabilities independently, before
    Matt Moore's post.)

    SurfControl released a fix. Please contact them for it.

    Now on with the disclosure.

    The four SurfControl vulnerabilities are as follows:
    1) a cross-site scripting vulnerability
    2) user name and password exposure
    3) Content-Length GET Denial of Service
    4) Incomplete GET Request Denial of Service

    The executable effected is STEMWADM.

    1) Cross-Site Scripting Issue
    As Matt Moore explained, the product does not filter user input. The
    user does not need to be authenticated to have the following executed
    against their browser.

    Normal Error:
    http://>/web/msgError.asp?Redirect=login.htm&Reason=Invalid+username+or+password!
    XSS Example:
    http://>/web/msgError.asp?Redirect=loginhtm&Reason=<script>alert(document.cookie);</script>

    2) Data Integrity Problem

    Any user with access to the URL below will receive the user names and
    passwords (in plain text) of every user in the SurfControl
    Administrative server.

    URL: http:// Address>/web/usermgr/userlist.asp

    Sample HTML output:

    <tr BGCOLOR=#EEEEEE><td><a
    href='actions/edituser.asp?User=ken&Password=ken&Enabled=Enabled&Email=kenftusecurity.com' title='Edit user' onMouseOver="window.status='Edit ken';return true;" onMouseOut="window.status=' ';return true;">ken</a></td><td><b>Enabled</b></td></tr><tr BGCOLOR=#DDDDDD><td><a href='actions/edituser.asp?User=test&Password=test&Enabled=Enabled&Email=kenftusecurity.com' title='Edit user' onMouseOver="window.status='Edit test';return true;" onMouseOut="window.status=' ';return true;">test</a></td><td><b>Enabled</b></td></tr>

    3) Denial of Service via missing Content-Length Parameter

    If one requests a web page and does not supply a content-length value
    the server crashes and must be restarted.

    4) Denial of Service via an incomplete GET request

    If a GET request is made but does not finish (\r\n\r\n), the server will
    continue to wait for the closing characters. As a result no one else may
    request a web page, in effect denying service to other administrators.

    'ken'FTU

    ==================================
               'ken'FTU
            http://www.ftusecurity.com
    ...serving straight HTML since '02