[NT] NFuse Cross Site Scripting Vulnerability
From: support@securiteam.comDate: 03/28/02
- Previous message: support@securiteam.com: "[NEWS] LDAP Connection Leak in CTI when User Authentication Fails"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 28 Mar 2002 13:02:29 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NFuse Cross Site Scripting Vulnerability
------------------------------------------------------------------------
SUMMARY
NFuse provides several JSP (or asp) pages allowing administrator to create
their own application portal. In one these pages (launch.jsp or
launch.asp) it's possible to use the method getLastError() of the
TemplateParser object (in fact this method is inherited from the
WebPNObject object) to cause a cross site scripting vulnerability.
DETAILS
Vulnerable systems:
NFuse version 1.6
NFuse version 1.51
The CSS problem comes from the getLastError() method.
Your launch.jsp file contains a bit of code like this:
if (!parser.Parse())
{
out.println("Error: " + parser.getLastError());
}
else
{
..
}
Example:
Workaround :
ADDITIONAL INFORMATION
The information has been provided by
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
With a request like this you can get the cookie with login and password.
An example is shown here:
http://my_nfuse_portal.com/launch.jsp?NFuse_Application=
Do not print result of GetLastError() or filter the result before it is
used.
<mailto:eric.detoisien@global-secure.fr> Eric Detoisien.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
