[NEWS] SARA Cross-site Scripting Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 12/18/03

  • Next message: SecuriTeam: "[NT] Multiple DUWare Vulnerabilities"
    To: list@securiteam.com
    Date: 18 Dec 2003 15:49:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      SARA Cross-site Scripting Vulnerability


    SARA, a descendent of SATAN, is a tool for probing networks for
    vulnerabilities (ideally to fix them). It creates its own mini-http server
    to enable the user to interact with the main process through a standard
    web browser. If scanning in interactive mode, information about target
    hosts and services running on them is displayed, and in some cases, this
    includes banners from the service. In SARA version 4.2.7 and before, the
    service banners were not properly sanitized, allowing HTML content in the
    banner to be processed by the administrative web browser.


    Vulnerable systems:
     * SARA versions 4.2.6 and 4.2.7

    Immune systems:
     * SARA version 5.0.0

    This allows standard cross-site scripting issues, which might be seriously
    exascerbated by the facts that:
     i) the normal mode of operation is for the web browser to be started by
    SARA, and as SARA must be run as root for scanning operations, the web
    browser is typically a root owned process.

     ii) The simplified HTTP server automatically assigns the values of html
    form variables to global variables in the perl script with the same name.

    Advanced Research Corporation was contacted about the issue 20 Nov, and
    has included code in version 5.0.0 of the package to deal with the
    problem. Upgrading is recommended (see <http://www-arc.com/sara/>
    http://www-arc.com/sara/ for download information).


    The information has been provided by <mailto:payerle@physics.umd.edu>
    Thomas M. Payerle.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Multiple DUWare Vulnerabilities"