[VulnWatch] Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability

From: Carsten H. Eiram (che_at_secunia.com)
Date: 01/26/04

  • Next message: Peter Winter-Smith: "[VulnWatch] ProxyNow! 2.x Multiple Overflow Vulnerabilities"
    To: Full Disclosure <full-disclosure@lists.netsys.com>, VulnWatch <vulnwatch@vulnwatch.org>
    Date: 26 Jan 2004 15:07:43 +0100
    
    

    ======================================================================

                         Secunia Research 26/01/2004

       - IBM Net.Data Macro Name Cross-Site Scripting Vulnerability -

    ======================================================================
    Receive Secunia Security Advisories for free:
    http://www.secunia.com/secunia_security_advisories/

    ======================================================================
    Table of Contents
     
    1....................................................Affected Software
    2.............................................................Severity
    3.....................................Vendor's Description of Software
    4.........................................Description of Vulnerability
    5.............................................................Solution
    6...........................................................Time Table
    7..............................................................Credits
    8........................................................About Secunia
    9.........................................................Verification

    ======================================================================
    1) Affected Software

    IBM Net.Data 7 and 7.2.

    NOTE: Other versions have not been tested but may also be affected.

    ======================================================================
    2) Severity

    Rating: Less critical
    Impact: Cross-Site Scripting
    Where: From Remote

    ======================================================================
    3) Vendor's Description of Software

    "Net.Data, a full-featured and easy to learn scripting language, allows
    you to create powerful Web applications. Net.Data can access data from
    the most prevalent databases in the industry".

    Vendor:
    http://www-3.ibm.com/software/data/net.data/

    ======================================================================
    4) Description of Vulnerability

    A vulnerability has been identified in IBM Net.Data, which can be
    exploited by malicious people to conduct cross-site scripting attacks
    against visitors of an affected site.

    The vulnerability is caused due to an input validation error in the
    db2www CGI component, since the name of a requested macro file is
    included in "DTWP001E" error messages without sufficient sanitation.

    A malicious person can exploit this by constructing a link, which
    includes arbitrary script code. If a user is tricked into clicking
    the link or visiting a malicious website, the script code will be
    executed in the user's browser session in context of the affected site.

    Example:
    http://[victim]/cgi-bin/db2www/<script>alert(document.domain)</script>/A

    Successful exploitation may result in disclosure of various
    information (e.g. cookie-based authentication information)
    associated with the site running IBM Net.Data, or inclusion of
    malicious content, which the user thinks is part of the real website.

    NOTE: Other error messages may also be affected.

    ======================================================================
    5) Solution

    The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or
    "DTW_DEFAULT_MACRO" feature on zOS and iServer) is used to ensure that a
    web site reacts in a predictable manner when encountering problems.

    Example:
    In the Net.Data configuration file "db2www.ini", insert an entry such
    as:

    DTW_DEFAULT_ERROR_MESSAGE <PRE>This Web Site is experiencing problems.
    Check back later. </PRE>

    This will prevent various error messages from being returned to users.

    ======================================================================
    6) Time Table

    04/11/2003 - Vulnerability discovered.
    04/11/2003 - Vendor notified
    07/11/2003 - Vendor confirms receiving vulnerability report. Report will
    be forwarded to Net.Data team.
    02/12/2003 - Requests status report from contact person.
    02/12/2003 - Contact person responds that the Net.Data team will be
    contacted.
    14/01/2004 - Advisory draft sent to vendor along with set disclosure
    date.
    14/01/2004 - Contact person replies that the Net.Data team will be
    contacted again.
    22/01/2004 - Vendor confirms vulnerability and provides solution.
    26/01/2004 - Public disclosure.

    ======================================================================
    7) Credits

    Discovered by Carsten Eiram, Secunia Research.

    ======================================================================
    8) About Secunia

    Secunia collects, validates, assesses, and writes advisories regarding
    all the latest software vulnerabilities disclosed to the public. These
    advisories are gathered in a publicly available database at the
    Secunia website:

    http://www.secunia.com/

    Secunia offers services to our customers enabling them to receive all
    relevant vulnerability information to their specific system
    configuration.

    Secunia offers a FREE mailing list called Secunia Security Advisories:

    http://www.secunia.com/secunia_security_advisories/

    ======================================================================
    9) Verification

    Please verify this advisory by visiting the Secunia website:
    http://www.secunia.com/secunia_research/2004-1/
    ======================================================================


  • Next message: Peter Winter-Smith: "[VulnWatch] ProxyNow! 2.x Multiple Overflow Vulnerabilities"

    Relevant Pages