Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM Tivoli Directory Server Input Validation Flaw Permits Remote Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1008358
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 2 2003
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 4.1
|
Description: An input validation vulnerability was reported in the IBM Tivoli Directory Server. A remote user can conduct cross-site scripting attacks against administrators.
It is reported that the web administration interface (ldacgi.exe) does not validate user-supplied information to remove HTML code
before displaying the user-supplied information. A remote user can create a specially crafted URL that, when loaded by a target
administrator, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the
site running the administrative interface and will run in the security context of that site. As a result, the code will be able
to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently
submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
A
demonstration exploit URL is provided:
https://server/ldap/cgi-bin/ldacgi.exe?Action=<script>alert("foo")</script>
The vendor
has reportedly been notified without response.
|
Impact: A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site
running the administrative interface software, access data recently submitted by the target administrator via web form to the site,
or take actions on the site acting as the target administrator.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.ibm.com/software/tivoli/products/directory-server/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (2000)
|
Reported By: "Oliver Karow" <Oliver.Karow@gmx.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 2 Dec 2003 13:53:56 +0100 (MET)
From: "Oliver Karow" <Oliver.Karow@gmx.de>
Subject: IBM Directory Server 4.1 Web Admin Gui (ldacgi.exe) XSS Vulnerability
|
IBM Directory Server 4.1 Web Admin Gui (ldacgi.exe) XSS Vulnerability
=====================================================================
During the audit of 3rd party product, based on IBM Directory Server,
i found a cross site scripting vulnerability on IBM's Directory Server 4.1
Web Admin Gui. The vuln exists due to the fact that ldacgi.exe does not
validate
the input regarding script code.
Version:
========
IBM Directory Server 4.1 ( IBM HTTP Server 1.3.19.2 Apache/1.3.20) running
on Windows platform.
Exploiting:
===========
https://server/ldap/cgi-bin/ldacgi.exe?Action=<script>alert("foo")</script>
Vendor:
=======
Website: http://www.ibm.com
Product: http://www-306.ibm.com/software/tivoli/products/directory-server/
Status: informed - but no reply within 7 days
Misc:
=====
The XSS exists in ldacgi.exe which will appear on the login-screen.
Its a vuln with a small impact, but user-input should always be validated :)
By the way.....requesting ldacgi3.exe (no auth. required) gives lot of
information about the accepted parameters of ldcgi.exe, which can be used to
start further attacks against ldacgi.exe.
Credit:
=======
Oliver.Karow[@]gmx.de
www.oliverkarow.de
--
+++ GMX - die erste Adresse für Mail, Message, More +++
Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net
|
|
Go to the Top of This SecurityTracker Archive Page
|
