SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Apple Weblog Server Vendors:  Apple Computer
Apple Weblog Server Input Validation Hole Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014694
SecurityTracker URL:  http://securitytracker.com/id?1014694
CVE Reference:  CAN-2005-2523   (Links to External Site)
Updated:  Aug 18 2005
Original Entry Date:  Aug 16 2005
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Apple Security Advisory
Description:  An input validation vulnerability was reported in Apple's Weblog Server. A remote user can conduct cross-site scripting attacks.

The server does not properly filter HTML code from user-supplied input in the author and comments sections before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Weblog Server software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was notified on June 11, 2005.

Donnie Werner of exploitlabs discovered this vulnerability.
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Weblog Server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  Apple has issued a fix as part of Security Update 2005-007 v1.1, available from the Software Update pane in System Preferences or via Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.4.2
The download file is named: "SecUpd2005-007Ti.dmg"
Its SHA-1 digest is: 61194b8b10d64c5c63250b29679c5cf6553808e4

For Mac OS X Server v10.4.2
The download file is named: "SecUpdSrvr2005-007Ti.dmg"
Its SHA-1 digest is: 3fddac78fcad9218866837a261a3057678163f6a
Vendor URL:  docs.info.apple.com/article.html?artnum=302163 (Links to External Site)
Cause:  Input validation error
Underlying OS:  UNIX (OS X)
Reported By:  "Morning Wood" <se_cur_ity@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 15 Aug 2005 16:18:12 -0700
From:  "Morning Wood" <se_cur_ity@hotmail.com>
Subject:  [Full-disclosure] Apple Mac Tiger 10.4 weblog server

 
------------------------------------------------------------
      - EXPL-A-2005-010 exploitlabs.com Advisory 039 -
------------------------------------------------------------
                       - Mac OSX Server weblog -





AFFECTED PRODUCTS
=================
Mac OSX 10.4.0 Weblog Server

http://apple.com



OVERVIEW
========
Weblog Server, which simplifies the publication of Weblogs.
 It provides users with the ability to publish and syndicate
 their Web content using existing Web browsers, including
 Apple's own Safari software. Features include calendar-based
 navigation, user and group blogs and HTML, RSS, RSS2, RDF
 and ATOM protocols, as well as "Apple-designed blog themes."
 Weblog Server can also integrate with Open Directory, LDAP
 and access control lists for authentication.




DETAILS
=======
1. XSS

Mac Server weblog comments does not properly filter
malicious script content. XSS my be inserted in the
author and comment body sections. The malicious script
is the rendered upon visitation and executed in the
context of the users brower.

http://[host]:16080/weblog/[bloguser]/?permalink=[blogentry]&page=comments



POC
===

1.
------
input malicious script into author and comment sections in
the comment option on the weblog.
eg:<SCRIPT>alert(document.cookie);</SCRIPT> [cookie theft]
eg:<iframe src="http://somesite.com"></iframe> [redirect]


http://[host]:16080/weblog/[bloguser]/?permalink=[blogentry]&comment=y&page=comments&cate
gory=%2F&author=[script]&authorEmail=&authorURL=&commentText=[script]&submit=Subm
it+Comment


SOLUTION:
=========
vendor contact:
product-security@apple.com June 11, 2005

patch released:

Weblog Server
CVE-ID: CAN-2005-2523
Available for: Mac OS X Server v10.4.2

patch available:
http://www.apple.com/support/downloads/securityupdate2005007macosx1042server.html





Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

Donnie Werner

mail:   wood at exploitlabs.com
mail:   morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

original:
http://exploitlabs.com/files/advisories/EXPL-A-2005-010-mac-weblog.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC