SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  BRS WebWeaver Vendors:  Southam, Blaine R.
BRS WebWeaver Input Validation Hole in Generating Error Messages Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007067
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 26 2003
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Advisory:  Secunia Research
Version(s): 1.0.3, 1.0.4
Description:  Secunia Research reported an input validation flaw in BRS WebWeaver. A remote user can conduct cross-site scripting attacks.

It is reported that the server does not filter HTML code from certain invalid requests before displaying the requested resource (containing the HTML code). A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running BRS WebWeaver and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[victim]/<script>alert(document.domain)</script>

http://[vict im]/<script>alert(document.domain)</script>AAA..[196]..AAA

The following notification timeline is provided:

26/04/2003 - Vulnerability discovered.
29/04/2003 - Vendor notified (info@brswebweaver.com).
07/05/2003 - Vendor notified again.
07/05/2003 - Vendor reply.
03/06/2003 - Vendor releases v1.05 BETA.
24/06/2003 - Vendor releases v1.05.
26/06/2003 - Public disclosure.
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the BRS WebWeaver server, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  The vendor has released a fixed version (1.05), available at:

http://www.brswebweaver.com/modules.php?op=modload&name=News&file=article&sid=2
Vendor URL:  www.brswebweaver.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Windows (Any)
Reported By:  Carsten H. Eiram <che@secunia.com>
Message History:   None.

 Source Message Contents
Date:  26 Jun 2003 11:11:24 +0200
From:  Carsten H. Eiram <che@secunia.com>
Subject:  Secunia Research: BRS WebWeaver Error Page Cross-Site Scripting

 


======================================================================

                       Secunia Research 26/06/2003

    - BRS WebWeaver Error Page Cross-Site Scripting Vulnerability -

======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/

======================================================================
Table of Contents
1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification

======================================================================
1) Affected Software

BRS WebWeaver 1.0.4
BRS WebWeaver 1.0.3

NOTE: Prior versions have not been tested but may also be vulnerable.

======================================================================
2) Severity

Rating:  Less critical
Impact:  Cross-Site Scripting
Where:   From Remote

======================================================================
3) Vendor's Description of Software

"BRS WebWeaver is a free personal web server that run on the Windows
platform. Even with it's small size ( ~375 KB ) and low memory
requirements (~4 MB) it provides lots of functionality at speeds that
will impress you."

Vendor:
http://www.brswebweaver.com

======================================================================
4) Description of Vulnerability

A vulnerability has been identified in BRS WebWeaver, which can be
exploited by malicious people to conduct Cross-Site Scripting attacks
against visitors.

The vulnerability is caused due to a lack of input validation, since
the name of a resource requested by a user is included in certain
error pages without prior sanitation.

A malicious person can exploit this by constructing a link, which
includes arbitrary script code. If a user is tricked into clicking
the link or visit a malicious website, the script code will be
executed in the user's browser session.

Successful exploitation may result in disclosure of various
information (e.g. cookie-based authentication information)
associated with the site running BRS WebWeaver, or inclusion of
malicious content, which the user thinks is part of the real website.

Example exploiting a "404 Not Found" error page:
http://[victim]/<script>alert(document.domain)</script>

Example exploiting a "403 Access Denied":
http://[victim]/<script>alert(document.domain)</script>AAA..[196]..AAA

======================================================================
5) Solution

Update to version 1.05:
http://www.brswebweaver.com/modules.php?op=modload&name=News&file=article&sid=2
======================================================================
6) Time Table

26/04/2003 - Vulnerability discovered.
29/04/2003 - Vendor notified (info@brswebweaver.com).
07/05/2003 - Vendor notified again.
07/05/2003 - Vendor reply.
03/06/2003 - Vendor releases v1.05 BETA.
24/06/2003 - Vendor releases v1.05.
26/06/2003 - Public disclosure.

======================================================================
7) Credits

Discovered by Carsten Eiram, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://www.secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2003-6/
======================================================================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC