OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (pgrundl_at_kpmg.dk)
Date: Wed Jul 17 2002 - 04:31:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------

    Title: Macromedia Sitespring Cross Site Scripting

    BUG-ID: 2002032
    Released: 17th Jul 2002
    --------------------------------------------------------------------

    Problem:
    ========
    A malicious user could use a default error page as the basis for a
    cross site scripting attack.

    Vulnerable:
    ===========
    - Macromedia Sitespring V1.2.0(277.1) on Windows 2000 Server

    Details:
    ========
    The default HTTP 500 error script does not check the contents of the
    error ticket (et) parameter before outputting it. That makes it
    possible to inject eg. javascript in the URL.

    http://server/error/500error.jsp?et=1>alert('KPMG')</script>

    Vendor URL:
    ===========
    You can visit the vendor webpage here:
    http://www.macromedia.com

    Vendor response:
    ================
    The vendor was notified on the 16th of April, 2002. The vendor has
    since removed the trial software from the webpage. To our knowledge
    there is no scheduled release date for a patch.

    Additional notes:
    =================
    Quoted from the vendors webpage:

    "We will continue to provide technical support for Sitespring
     through May 2004. Please continue to visit the Sitespring support
     center for TechNotes, white papers, and other product information.
     If you've purchased a technical support plan for Sitespring, we
     will continue to provide support pursuant to the terms of your
     support agreement. Even though we will not be selling annual
     Sitespring support packages, you can purchase incident-based
     support from a technical support engineer."

    Corrective action:
    ==================
    Replace the error script with a custom error page. If you do not
    know how to create a .jsp file, simply create a standard 500 error
    page in html, and rename it to .jsp.

    Author: Peter Gründl (pgrundlkpmg.dk)

    --------------------------------------------------------------------
    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.
    --------------------------------------------------------------------