Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM Net.Data db2www Input Validation Flaw Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1008845
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 26 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Secunia Research
|
Version(s): 7, 7.2
|
Description: An input validation flaw was reported in IBM's 'Net.Data' application. A remote user can conduct cross-site scripting attacks.
Secunia Research reported that the db2www CGI application does not filter HTML code from user-supplied input in the requested macro
file name before displaying the information as part of the 'DTWP001E' error message.
A remote user can create a specially crafted
URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code
will originate from the site running the 'Net.Data' software and will run in the security context of that site. As a result, the
code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access
data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A
demonstration exploit URL is provided:
http://[target]/cgi-bin/db2www/<script>alert(document.domain)</script>/A
The vendor
was reportedly notified on November 4, 2003.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
'Net.Data' software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: According to the report, the vendor has recommended that customers use the "DTW_DEFAULT_ERROR_MESSAGE" feature (or "DTW_DEFAULT_MACRO"
feature on zOS and iServer).
An example entry from the 'db2www.ini' file is provided:
DTW_DEFAULT_ERROR_MESSAGE <PRE>This
Web Site is experiencing problems. Check back later. </PRE>
|
Vendor URL: www.ibm.com/software/data/net.data/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
|
Reported By: "Carsten H. Eiram" <che@secunia.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 26 Jan 2004 15:07:43 +0100
From: "Carsten H. Eiram" <che@secunia.com>
Subject: [Full-Disclosure] Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting
|
======================================================================
Secunia Research 26/01/2004
- IBM Net.Data Macro Name Cross-Site Scripting Vulnerability -
======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/
======================================================================
Table of Contents
1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification
======================================================================
1) Affected Software
IBM Net.Data 7 and 7.2.
NOTE: Other versions have not been tested but may also be affected.
======================================================================
2) Severity
Rating: Less critical
Impact: Cross-Site Scripting
Where: From Remote
======================================================================
3) Vendor's Description of Software
"Net.Data, a full-featured and easy to learn scripting language, allows
you to create powerful Web applications. Net.Data can access data from
the most prevalent databases in the industry".
Vendor:
http://www-3.ibm.com/software/data/net.data/
======================================================================
4) Description of Vulnerability
A vulnerability has been identified in IBM Net.Data, which can be
exploited by malicious people to conduct cross-site scripting attacks
against visitors of an affected site.
The vulnerability is caused due to an input validation error in the
db2www CGI component, since the name of a requested macro file is
included in "DTWP001E" error messages without sufficient sanitation.
A malicious person can exploit this by constructing a link, which
includes arbitrary script code. If a user is tricked into clicking
the link or visiting a malicious website, the script code will be
executed in the user's browser session in context of the affected site.
Example:
http://[victim]/cgi-bin/db2www/<script>alert(document.domain)</script>/A
Successful exploitation may result in disclosure of various
information (e.g. cookie-based authentication information)
associated with the site running IBM Net.Data, or inclusion of
malicious content, which the user thinks is part of the real website.
NOTE: Other error messages may also be affected.
======================================================================
5) Solution
The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or
"DTW_DEFAULT_MACRO" feature on zOS and iServer) is used to ensure that a
web site reacts in a predictable manner when encountering problems.
Example:
In the Net.Data configuration file "db2www.ini", insert an entry such
as:
DTW_DEFAULT_ERROR_MESSAGE <PRE>This Web Site is experiencing problems.
Check back later. </PRE>
This will prevent various error messages from being returned to users.
======================================================================
6) Time Table
04/11/2003 - Vulnerability discovered.
04/11/2003 - Vendor notified
07/11/2003 - Vendor confirms receiving vulnerability report. Report will
be forwarded to Net.Data team.
02/12/2003 - Requests status report from contact person.
02/12/2003 - Contact person responds that the Net.Data team will be
contacted.
14/01/2004 - Advisory draft sent to vendor along with set disclosure
date.
14/01/2004 - Contact person replies that the Net.Data team will be
contacted again.
22/01/2004 - Vendor confirms vulnerability and provides solution.
26/01/2004 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://www.secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://www.secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2004-1/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
