Multiple XSS issues in Sun AnswerBook2

From: B00B00 (ptt_at_btinternet.com)
Date: 03/28/05

  • Next message: Gadi Evron: "phishing sites report - March/2005"
    Date: 28 Mar 2005 19:04:52 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    PTT SECURITY ADVISORY
    DATE: 08-02-2005
    AUTHOR: THOMAS LIAM ROMANIS
    CURRENT EMPLOYER: Echelon Ltd
    VENDOR: Sun
    PRODUCT: Sun AnswerBook2
    VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
    TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].

    Summary.

    A number of issues have been identified in Sun Answerbook2. The first is AN xss issue in the Sun Answerbook2 Search function and the other is an attack vector issue in the administrative function for viewing Access and Error log files.

    Detail.

    1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
    This issue could be used for misinformation purposes but probably little else. As a result the impact of this issue is likely to be low.

    http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
    29%3C%2Fscript%3E&Search=+Search+

    It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. In this case, depending on the function of the server, a more serious exposure could result.

    2. Administration Attack Vector issue.[CAN-2005-0549]
    When the Answerbook2 administrator opts to view the Access log file ( /var/log/ab2/logs/access-8888.log) or Error log file ( /var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain text. As a result a number of different methods could be used to launch attacks against the Answerbook2 administrator. For example, If an XSS attempt has been made on another part of the application, even if it was not immediately successful, it will execute during the display of the Access or Error log files. Thus attacks could be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who may have escalated privileges on the host operating system.

    http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access

    Remedial Action.

    The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release Notes list the feature

    removal here:

    http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view

    Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other currently supported

    releases of Solaris and they are impacted by this issue. Sun isn't planning on producing further patches for

    the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends disabling AnswerBook2 and

    using other sources of documentation, namely the Solaris Documentation CD and online formats at

    http://docs.sun.com.

    The Alert Released by Sun can be found at:

    http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1


  • Next message: Gadi Evron: "phishing sites report - March/2005"