[NEWS] SARA Cross-site Scripting Vulnerability
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 18 Dec 2003 15:49:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
SARA Cross-site Scripting Vulnerability
SARA, a descendent of SATAN, is a tool for probing networks for
vulnerabilities (ideally to fix them). It creates its own mini-http server
to enable the user to interact with the main process through a standard
web browser. If scanning in interactive mode, information about target
hosts and services running on them is displayed, and in some cases, this
includes banners from the service. In SARA version 4.2.7 and before, the
service banners were not properly sanitized, allowing HTML content in the
banner to be processed by the administrative web browser.
* SARA versions 4.2.6 and 4.2.7
* SARA version 5.0.0
This allows standard cross-site scripting issues, which might be seriously
exascerbated by the facts that:
i) the normal mode of operation is for the web browser to be started by
SARA, and as SARA must be run as root for scanning operations, the web
browser is typically a root owned process.
ii) The simplified HTTP server automatically assigns the values of html
form variables to global variables in the perl script with the same name.
Advanced Research Corporation was contacted about the issue 20 Nov, and
has included code in version 5.0.0 of the package to deal with the
problem. Upgrading is recommended (see <http://www-arc.com/sara/>
http://www-arc.com/sara/ for download information).
The information has been provided by <mailto:firstname.lastname@example.org>
Thomas M. Payerle.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.