[NEWS]Pro2col StingRay FTS Login Username Cross Site Scripting

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Pro2col StingRay FTS Login Username Cross Site Scripting
------------------------------------------------------------------------


SUMMARY

<http://pro2col.com/solutions/products/stingray_fts> StingRay FTS is "a
file transfer server for Internet communications. Customers are able to
transfer files or to send emails via the device". Marc Ruef at scip AG
found an input validation error within the current release of StingRay
FTS.

DETAILS

The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within a
cross site scripting attack. Other parts of the application might be
affected too.

<form name="form_login" method="post" action="verify_login.jsp">
<input type="hidden" name="form_browser_os" value="2">
<input type="hidden" name="form_browser_type" value="2">
<table border="0" cellspacing="0" width="100%"
class="loginheadertable">
<tr>
<td valign="center" class="loginheadertable">StingRay Login</td>

</tr>
</table>
<img border="0" src="images/line.jpg" width="100%" height="10"></img>
<table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
<tr height="25" valign="middle">
<td width="15%">Benutzername</td>
<td width="35%"><input type="text" name="form_username"
size="30"></td>
<td width="50%"> </td>

</tr>
<tr height="15" valign="middle">
<td>Passwort</td>
<td>
<input type="password" name="form_password" size="30">
</td>
<td> </td>
</tr>

</table>
<img border="0" src="images/line.jpg" width="100%" height="10">
<table border="0" cellpadding="5" cellspacing="5" width="100%"
class="stdtable">
<tr>
<td width="50%" align="right">
<input type="Image" src="images/bt_login_de.gif" name="login"
class="formbutton"
onClick="SetBrowserParam(this.form);">
</td>
<td> </td>
</tr>

</table>
</form>

Exploit:
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit this vulnerabilities.

The approach to verify an insecure installation is possible with a simple
form input. Use the following string as user name and a wrong password for
the proof-of-concept:
<script>alert('scip');</script>

The script injection happens in this line (between the H3 headers) in the
file /verify_login.jsp:
<H3>Der Benutzer <script>alert('scip');</script> konnte nicht in der
Datenbank gefunden werden.<br><br>Bitte wiederholen...</H3>

Impact:
Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges (e.g.
extracting sensitive cookie information or launch a buffer overflow attack
against another web browser). However, as Robert Welz with Pro2col told my
via email, the discussed login part should be available on the internal
interface only.

Because other parts of the application might be affected too - this could
include some second order vulnerabilities - a severe attack scenario might
be possible.

Detection:
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than (<) and greater-than (>) are required to propose a HTML tag. In
some cases single (') or double quotes (") are required to inject the code
in a given HTML statement. Some implementation of security systems are
looking for well-known attack tags as like <script> and attack attributes
onMouseOver too. However, these are usually not capable of identifying
highly optimized payload.

Solution:
We have informed Pro2col on an early stage. They confirmed the problem and
announced a bugfix for a release scheduled in March 2008 initially. A
re-scheduling was proposed and no further details provided. Our last
request stood unanswered for a long time.

Vendor response:
Pro2col has been informed a first time at 2008/06/12 via email at
info-at-pro2col.com. A very kind reply by James Lewis came back a few
hours later. Further discussion of the flaw (how to reproduce) were held
with Robert Welz. A re-scheduling of the planned patch was proposed. Our
last request stood unanswered for a long time.

Disclosure timeline:
2007/12/05 Identification of the vulnerability
2007/12/06 First information to info-at-pro2col.com
2007/12/07 Immediate reply by and further discussion with James Lewis
2008/01/11 Technical confirmation by Robert Welz
2008/03/18 Status report by Robert Welz
2008/07/08 Offering for re-check of the patch by Robert Welz
2008/07/09 Undefined re-scheduling of the patch
2008/08/29 Last request for actual status (no reply)
2008/09/12 Public advisory


ADDITIONAL INFORMATION

The information has been provided by <mailto:maru@xxxxxxx> Marc Ruef.
The original article can be found at:
<http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809>
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast