[Full-disclosure] CORE-2009-0109 - Multiple XSS in Sun Communications Express



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/

Multiple XSS in Sun Communications Express


1. *Advisory Information*

Title: Multiple XSS in Sun Communications Express
Advisory ID: CORE-2009-0109
Advisory URL: http://www.coresecurity.com/content/sun-communications-express
Date published: 2009-05-20
Date of last update: 2009-05-20
Vendors contacted: Sun Microsystems
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Cross site scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 34154, 34155
CVE Name: CVE-2009-1729


3. *Vulnerability Description*

Several cross-site scripting vulnerabilities were found in the following
files/urls of the Sun Java System Communications Express [1] :

1. 'https://<server>/uwc/abs/search.xml?'
2. 'http://<server>/uwc/base/UWCMain'

Cross-site scripting (XSS) vulnerabilities [2], [3] allow an attacker
to execute arbitrary scripting code in the context of the user browser
(in the vulnerable application's domain). For example, an attacker could
exploit a XSS vulnerability to steal user cookies (and then impersonate
the legitimate user) or fake a page requesting information to the user
(i.e. credentials). This vulnerability occurs when user-supplied data is
displayed without encoding.


4. *Vulnerable packages*

4.1. *SPARC Platform*

. Sun Java System Communications Express 6.3 (Communications Suite 5
or 6) without patch 122793-26.
. Sun Java System Communications Express 6 2005Q4 (6.2).


4.2. *x86 Platform*

. Sun Java System Communications Express 6.3 (Communications Suite 5
or 6) without patch 122794-26.
. Sun Java System Communications Express 6 2005Q4 (6.2).


4.3. *Linux*

. Sun Java System Communications Express 6.3 (Communications Suite 5
or 6) without patch 122795-26.
. Sun Java System Communications Express 6 2005Q4 (6.2).


5. *Non-vulnerable packages*

. Sun Java System Communications Express 6.3 with the patches
described in sections 4.1, 4.2 and 4.3.


6. *Vendor Information, Solutions and Workarounds*

The Sun Alert for this issue has been assigned id 258068 and it is
available at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-258068-1.


7. *Credits*

These vulnerabilities were discovered by the SCS team from Core Security
Technologies.


8. *Technical Description / Proof of Concept Code*

Cross-Site Scripting (commonly referred to as XSS) attacks are the
result of improper encoding or filtering of input obtained from
untrusted sources. Basically, they consist in the attacker injecting
malicious tags and/or script code that is executed by the user's web
browser when accessing the vulnerable web site. The injected code then
takes advantage of the trust given by the user to the vulnerable site.
These attacks are usually targeted at all users of a web application
rather than at the application itself (although one could say that the
users are affected because of a vulnerability of the web application).
The term 'cross-site scripting' is also sometimes used in a
broader-sense referring to different types of attacks involving script
injection into the client. For additional information, please look at
the references [2], [3], [4], [5] and [6].


8.1. *Vulnerability #1 - XSS (BID 34154, CVE-2009-1729)*

Cross-site scripting vulnerabilities were found in the following file/url:

/-----------

https://<server>/uwc/abs/search.xml?
- -----------/

This is part of the 'Personal Address Book->Add contact' functionality.
Although the affected URL is originally accessed through a POST request,
this vulnerability can be exploited both with a GET and with a POST
request. Using the following variables:

/-----------

abperson_displayName
- -----------/

The contents of the variables previously mentioned are not being
encoded at the time of using them in HTML output, therefore allowing an
attacker who controls their content to insert javascript code.

The following code is a proof of concept of this flaw:

/-----------

https://<server>/uwc/abs/search.xml?bookid=e11e46531a8a0&j_encoding=UTF-8&uiaction=quickaddcontact&entryid=&valueseparator=%3B&prefix=abperson_&stopalreadyselected=1&isselchanged=0&idstoadd=&selectedbookid=&type=abperson%2Cgroup&wcfg_groupview=&wcfg_searchmode=&stopsearch=1&expandgroup=&expandselectedgroup=&expandonmissing=&nextview=&bookid=e11e46531a8a0&actionbookid=e11e46531a8a0&searchid=7&filter=entry%2Fdisplayname%3D*&firstentry=0&sortby=%2Bentry%2Fdisplayname&curbookid=e11e46531a8a0&searchelem=0&searchby=contains&searchstring=Search+for&searchbookid=e11e46531a8a0&abperson_givenName=aa&abperson_sn=aa&abperson_piEmail1=a%40a.com&abperson_piEmail1Type=work&abperson_piPhone1=11&abperson_piPhone1Type=work&quickaddprefix=abperson_&abperson_displayName=%3Cscript%3Ealert%28%27xss2%27%29%3C%2Fscript%3E%2C+%3Cscript%3Ealert%28%27xss1%27%29%3C%2Fscript%3E&abperson_entrytype=abperson&abperson_memberOfPIBook=e11e46531a8a0
- -----------/


8.2. *Vulnerability #2 - XSS (BID 34155, CVE-2009-1729)*

Cross-site scripting vulnerabilities were found in the following file/url:

/-----------

http://<server>/uwc/base/UWCMain
- -----------/

The contents of the url are not being encoded at the time of using them
in HTML output, therefore allowing an attacker who controls their
content to insert javascript code.

This vulnerability can be exploited through a GET request, and the user
does not need to be logged into the web application. This makes this
cross-site scripting vulnerability perfect to be used by attackers on
email-based attacks. An attacker can send via email a link to a
'calendar' and 'exploit' the victim.

The following code is a proof of concept of this flaw:

/-----------

http://<server>/uwc/base/UWCMain?anon=true&calid=test@xxxxxxxx&caltype=temporaryCalids&date=20081223T143836Z&category=All&viewctx=day&temporaryCalendars=test@xxxxxxxx%27;alert(%27hello%27);a=%27
- -----------/


9. *Report Timeline*

. 2009-01-09:
Core Security Technologies notifies Sun Security Coordination Team of
the vulnerability, setting the estimated publication date of the
advisory to Feb 2nd. Technical details are sent to Communications
Express team.

. 2009-01-09:
The vendor acknowledges reception of the report and asks Core to
postpone publication of the security advisory in order to have enough
time to investigate and fix the bugs. Vendor requests GPG key of Core's
security Advisories team.

. 2009-01-12:
Core agrees to postpone the advisory publication but asks the vendor for
a feedback of their engineering team as soon as possible in order to
coordinate the release date of fixes and security advisories.

. 2009-01-21:
Core asks the vendor an estimated date for the release of patches and
fixes.

. 2009-01-21:
Sun Security Coordination Team notifies Core that the vendor's
engineering team is hoping to have patches released sometime near the
end of February or the beginning of March. The time-frame is tentative
due to the vendor's QA testing process that includes testing of all
patches which may include fixes to bugs unrelated to those reported by
Core.

. 2009-02-06:
Core re-schedules the advisory publication date to Feb 25th. Updated
timeline sent to the vendor requesting confirmation that patches will be
released by then.

. 2009-02-16:
The vendor asks Core to delay the advisory publication until the end of
March, in order to finish a rigorous process of internal testing.

. 2009-02-16:
Core re-schedules the advisory publication date to March 30th. Core
indicates that it would appreciate further technical details about the
flaws from the vendors engineering team.

. 2009-02-17:
Vendor acknowledges previous email.

. 2009-03-17:
Core reminds the vendor that the publication of the advisory is
scheduled for March 30th. Core also requests updated information about
the development and release of fixed versions.

. 2009-03-23:
Vendor confirms that it is on track to have the fix ready for
publication at the end of this month, March 30th, and provides a list of
affected products and versions.

. 2009-03-24:
Vendor states that there was a confusion on his end, and that patches
are scheduled to complete testing and to be published on 22nd April
2009. Vendor requests Core to delay publication of its advisory.

. 2009-03-25:
Core confirms that the advisory publication is rescheduled to April 22nd.

. 2009-04-08:
Sun engineering team informs that they have a fix for other flaw
reported by Core [7]. This fix is currently undergoing Sun standard
testing, and vendor expect to be ready to publish the patch on Monday
20th April 2009.

. 2009-04-16:
Sun engineering team confirms they are still planning to release the fix
for [7] on 20th April 2009.

. 2009-04-17:
Core ask Sun engineering team for the vulnerability reported in this
advisory (Sun Communication Express). Core requires an estimated date
for the release of patches and fixes.

. 2009-04-20:
Sun engineering team informs that the issue which affects Communications
Express is planned for publication later in the week. The vendor will
get back to Core with a more final date once they have confirmed the
details.

. 2009-04-22:
Sun engineering team informs that the fix related to Communications
Express is currently undergoing internal testing and they expect to be
ready to publish the fixes and the sun alert on 6th May 2009.

. 2009-04-29:
Core re-schedules the advisory publication date to 6th May 2009, asks
Sun for an URL of the corresponding Sun alert and a list of
non-vulnerable packages.

. 2009-05-05:
Sun engineering team informs that they are experiencing some
difficulties related to the final release stages of the fix for this
bug. The vendor will not be ready to go public with this fix tomorrow.

. 2009-05-05:
Core responds that it is possible to postpone the publication of the
advisory, but asks Sun engineering team for an estimated date to reach
the final release of the fix as soon as possible.

. 2009-05-08:
Sun engineering team informs they are still experiencing some delays
with the final stages of this release process and asks to delay the
publication of the advisory.

. 2009-05-18:
Sun engineering team confirms that they have resolved the outstanding
issues related to this vulnerability and they expect to be ready to
publish the fixes on Wednesday 20th May.

. 2009-05-18:
Core re-schedules the advisory publication date to 20th May.

. 2009-05-20: The advisory CORE-2009-0109 is published.


10. *References*

[1]
http://www.sun.com/software/products/calendar_srvr/comms_express/index.xml
[2] HTML Code Injection and Cross-Site Scripting
http://www.technicalinfo.net/papers/CSS.html.
[3] The Cross-Site Scripting FAQ (XSS)
http://www.cgisecurity.com/articles/xss-faq.shtml
[4] How to prevent Cross-Site Scripting Security Issues
http://support.microsoft.com/default.aspx?scid=KB;en-us;q252985
[5] How to review ASP Code for CSSI Vulnerability
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253119
[6] How to review Visual InterDev Generated Code for CSSI Vulnerability
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253120
[7] HTTP Response Splitting vulnerability in Sun Delegated Administrator
- - http://www.coresecurity.com/content/sun-delegated-administrator


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKFEWVyNibggitWa0RAqSuAKCRr0zxGIvhYRVD92VLI7W1pJezQwCfVvSO
SNbJmS6GjYkZPyIfI3+JIpw=
=wOZe
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages