[VulnWatch] CORE-2006-0124: Cross-Site Scripting in Verisign’s haydn.exe CGI script
- From: CORE Security Technologies Advisories <advisories@xxxxxxxxxxxxxxxx>
- Date: Mon, 20 Mar 2006 20:29:25 -0300
Core Security Technologies - Corelabs Advisory
Cross-Site Scripting in Verisign’s haydn.exe CGI script
Date Published: 2006-03-20
Last Update: 2006-03-20
Advisory ID: CORE-2006-0124
Bugtraq ID: None currently assigned
CVE Name: None currently assigned
Title: Cross-Site Scripting in Verisign’s haydn.exe CGI script
Class: Input Validation Error
Remotely Exploitable: Yes
Locally Exploitable: No
2006-01-25: Notification sent to Verisign
2006-01-25: Notification acknowledged by Verisign
2006-01-26: Draft advisory with details sent to Verisign
2006-02-08: Vulnerability confirmed by Verisign
2006-03-17: Verisign's response with fix information
2006-03-20: CORE-2006-0124 Advisory released
Release Mode: COORDINATED RELEASE
The haydn.exe file is used as a CGI common component in various
Verisign products, including those aimed at Digital ID certificate
enrollment, revocation and validation of server certificates.
A cross-site scripting vulnerability found in Verisign’s haydn.exe
could allow an attacker to execute scripting code in the machine of
a user within the user's web browser with the same trust level as that
of the site hosting the haydn.exe file (this is usually a trusted
site, since it is used to enroll, revoke or validate certificates).
A malicious web site could use this vulnerability to spoof the
results of certificate validation operations that are performed on
a trusted site that uses the vulnerable executable.
Vulnerable package information provided by the vendor
- MPKI 6.0
Fix information provided by the vendor:
"VeriSign appreciates Core Security for bringing this to our attention.
To ensure appropriate management of error messages the creation of a
default HTML file must be constructed. To do this perform the
Create a blank html file in the '<local hosting install
directory>/htmldocs/' directory labeled 'fdf_noHTMLFile.html'
This vulnerability was found by Alberto Soliño from Core Security
*Technical Description - Exploit/Concept Code:*
The vulnerability is classified as common Cross Site Scripting bug due
to the lack of user input validation in parameters passed to the CGI
to haydn.exe in the VHTML_FILE parameter. Upon an error condition
haydn.exe will exit returning not sanitized input to the web server
which will in turn pass it on to the client browser.
The vulnerability can be verified issuing the following request to
replaced with any static or dynamic code of the attacker's choice.
To determine if the vulnerability is present using the above example
An attacker could also choose to mimic the results of a successful
legitimate request to haydn.exe and thus subvert the operations of the
application using the vulnerable component.
Filter the content passed by the user in the VHTML_FILE field to only
allow valid characters on input before passing the request to
Additionally, when passing back the output of haydn.exe to the client
browser sanitize the data to avoid passing back arbitrary code
*Additional information and References*
Cross-Site Scripting (commonly referred to as XSS) attacks are the
result of improper filtering of input obtained from untrusted sources.
Basically, they consist in the attacker injecting malicious
tags and/or script code that is executed by the user's web browser
when accessing the vulnerable web site. The injected code then takes
advantage of the trust given by the user to the vulnerable site.
These attacks are usually targeted to all users of a web application
instead of the application itself (although one could say that the
users are affected because of a vulnerability of the web application).
The term ‘cross-site scripting' is also sometimes used in a broader
sense referring to different types of attacks involving script
injection into the client.
HTML Code Injection and Cross-Site Scripting:
How To Prevent Cross-Site Scripting Security Issues:
How To Review ASP Code for CSSI Vulnerability:
The Cross-Site Scripting FAQ (XSS):
Sample methods for JS-Injection:
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://www.coresecurity.com/corelabs/
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide. The company’s flagship
product, CORE IMPACT, is the first automated penetration testing
product for assessing specific information security threats to an
organization. Penetration testing evaluates overall network security
and identifies what resources are exposed. It enables organizations to
determine if current security investments are detecting and preventing
Core augments its leading technology solution with world-class security
consulting services, including penetration testing, software security
auditing and related training.
Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2006 CORE Security
Technologies and (c) 2006 Corelabs, and may be distributed freely
provided that no fee is charged for this distribution and proper
credit is given.
$Id: verisign-advisory.txt,v 1.8 2006/03/20 22:29:39 iarce Exp $
- Prev by Date: [VulnWatch] Re: Remote overflow in MSIE script action handlers (mshtml.dll)
- Next by Date: [VulnWatch] PasswordSafe 3.0 weak random number generator allows key recovery attack
- Previous by thread: [VulnWatch] Remote overflow in MSIE script action handlers (mshtml.dll)
- Next by thread: [VulnWatch] PasswordSafe 3.0 weak random number generator allows key recovery attack