[UNIX] Sun AnswerBook2 Arbitrary Script Injection and Cross Site Scripting
From: SecuriTeam (support_at_securiteam.com)
Date: 03/29/05
- Previous message: SecuriTeam: "[REVS] TCP Timestamp and Advanced Fingerprinting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Mar 2005 18:50:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sun AnswerBook2 Arbitrary Script Injection and Cross Site Scripting
------------------------------------------------------------------------
SUMMARY
"The <http://docs.sun.com/app/docs/doc/805-3644/6j3fdvepg?a=view>
AnswerBook2 product uses a standards-based document server to deliver
online documentation through your favorite web browser. The AnswerBook2
interface lets you browse, search, and print a variety of Solaris
information, including AnswerBook1 collections and man pages."
A number of issues have been identified in Sun's Answerbook2. The first is
a cross site scripting in Sun Answerbook2's Search function and the other
is arbitrary script injection in the administrative log files.
DETAILS
Vulnerable Systems:
* Solaris Versions 7, 8
Immune Systems:
* Solaris Versions 9, 10
Cross Site Scripting:
The following URL can be used to trigger the vulnerability:
http://example.com/ab2/Help_C/@Ab2HelpSearch?scope=HELP&
DwebQuery=%3Cscript%3Ealert%28%22hello%22%29%3C%2Fscript%3E&Search=+Search+
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0548>
CAN-2005-0548
Arbitrary Script Injection:
The following URL will cause the program to start displaying the log file
generated by the program as HTML:
http://example.com/ab2/@Ab2Admin?command=view_access
Once the Answerbook2 administrator views either of the files,
/var/log/ab2/logs/access-XXXX.log or /var/log/ab2/logs/access-XXXX.log,
the file is displayed as HTML rather than plain text. As a result a number
of different methods could be used to launch attacks against the
Answerbook2 administrator.
For example, If an XSS attempt has been made on another part of the
application, even if it was not immediately successful, it will execute
during the display of the Access or Error log files. Thus attacks could be
waged via browser vulnerabilities against the Sun AnswerBook2
Administrator who may have escalated privileges on the host operating
system.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0549>
CAN-2005-0549
Workaround:
The Sun Alert recommends disabling AnswerBook2 and using other sources of
documentation, namely the Solaris Documentation CD and online formats at
<http://docs.sun.com> http://docs.sun.com.
ADDITIONAL INFORMATION
The information has been provided by <mailto:ptt@btinternet.com> B00B00.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[REVS] TCP Timestamp and Advanced Fingerprinting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
