[NT] BRS WebWeaver Error Page Cross-Site Scripting Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 06/26/03

  • Next message: SecuriTeam: "[TOOL] RPCScan, RPC Endpoint Mapper" 
    To: list@securiteam.com
Date: 26 Jun 2003 17:58:50 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      BRS WebWeaver Error Page Cross-Site Scripting Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.bsoutham.org/> BRS WebWeaver is a small, fast HTTP and FTP
    Server for Win9x/WinNT. A vulnerability has been identified in BRS
    WebWeaver, which can be exploited by malicious people to conduct
    Cross-Site Scripting attacks against visitors.

    DETAILS

    Vulnerable systems:
     * BRS WebWeaver version 1.0.4
     * BRS WebWeaver version 1.0.3

    Immune systems:
     * BRS WebWeaver version 1.05

    The vulnerability is caused due to a lack of input validation, since the
    name of a resource requested by a user is included in certain error pages
    without prior sanitation.

    A malicious person can exploit this by constructing a link, which includes
    arbitrary script code. If a user is tricked into clicking the link or
    visit a malicious website, the script code will be executed in the user's
    browser session.

    Successful exploitation may result in disclosure of various information
    (e.g. cookie-based authentication information) associated with the site
    running BRS WebWeaver, or inclusion of malicious content, which the user
    thinks is part of the real website.

    Example exploiting a "404 Not Found" error page:
    http://[victim]/< script>alert(document.domain)</script>
     
    Example exploiting a "403 Access Denied":
    http://[victim]/< script>alert(document.domain)</script>AAA..[196]..AAA

    Solution:
    Update to version 1.05:
     
    <http://www.brswebweaver.com/modules.php?op=modload&name=News&file=article&sid=2> http://www.brswebweaver.com/modules.php?op=modload&name=News&file=article&sid=2

    Disclosure timeline:
    26/04/2003 - Vulnerability discovered.
    29/04/2003 - Vendor notified (info@brswebweaver.com).
    07/05/2003 - Vendor notified again.
    07/05/2003 - Vendor reply.
    03/06/2003 - Vendor releases v1.05 BETA.
    24/06/2003 - Vendor releases v1.05.
    26/06/2003 - Public disclosure.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:che@secunia.com> Carsten H.
    Eiram.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] RPCScan, RPC Endpoint Mapper"

    Relevant Pages