SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Novell Teaming Vendors:   Novell
Novell Teaming Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1022063
SecurityTracker URL:  http://securitytracker.com/id/1022063
CVE Reference:   CVE-2009-1293, CVE-2009-1294   (Links to External Site)
Date:  Apr 15 2009
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.3
Description:   Some vulnerabilities reported in Novell Teaming. A remote user can conduct cross-site scripting attacks. A remote user can determine valid usernames on the target system.

The software does not properly filter HTML code from user-supplied input in the 'p_p_state' and 'p_p_mode' parameters before displaying the input [CVE-2009-1294]. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Novell Teaming software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

https://[target]/web/guest/home?p_p_id=82&p_p_action=1&p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3E&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_82_struts_action=%2Flanguage%2Fview&_82_languageId=de_
DE

The vulnerability resides in the included third party Liferay portal.

The login page indicates whether authentication failures are due to an invalid username or an invalid password [CVE-2009-1293]. A remote user can valid usernames on the target application.

The vendor was notified on February 19, 2009.

Michael Kirchner of SEC Consult Vulnerability Lab reported these vulnerabilities.

The original advisory is available at:

https://www.sec-consult.com/files/20090415-0-novell-teaming.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Novell Teaming software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine valid usernames on the target application.

Solution:   The vendor has issued a fix.

The vendor's advisories are available at:

http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002997&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002999&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

Vendor URL:  www.novell.com/ (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Linux (SuSE), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  SEC Consult SA-20090415-0 :: Multiple Vulnerabilities in Novell

SEC Consult Security Advisory < 20090415-0 >
==========================================================================
              title: Novell Teaming Multiple Vulnerabilities
                     * Username Enumeration
                     * Multiple Cross Site Scripting
                     * Includes vulnerable Liferay portal
            program: Novell Teaming
 vulnerable version: 1.0.3
           homepage: http://www.novell.com/products/teaming/
              found: February 2009
                 by: Michael Kirchner, SEC Consult Vulnerability Lab
               link:
https://www.sec-consult.com/files/20090415-0-novell-teaming.txt
==========================================================================

Vendor description:
-------------------

Web conferencing software from Novell. Teaming and conferencing offers a
number of solutions to improve productivity for enterprises, with web
conferencing just one of those solutions.

[source: http://www.novell.com/products/teaming/]


Vulnerability overview:
-----------------------

Multiple vulnerabilities have been identified in Novell Teaming. These
include enumeration of usernames, information disclosure, and cross site
scripting flaws. An attacker could leverage these vulnerabilities to
collect information about the system and its users and conduct effective
(XSS supported) hybrid phishing attacks.


Vulnerability description:
-------------------------

1. Username enumeration:

User authentication takes place via a login form at:

https://teaming.example.com/c/portal/login

The web application reacts differently for valid and invalid usernames
("Please enter a valid login" / "Auhtentication failed"). This allows an
attacker to deduce wether a spedific username exists. The attacker could
use this flaw to generate a list of usernames for dictionary- or
bruteforce-attacks.

2. Cross site scripting:

The parameters p_p_state and p_p_mode are not validated or escaped by
the web application. Script code can be injected into these parameters,
allowing for cross site scripting attacks. Example:

https://teaming.example.com/web/guest/home?p_p_id=82&p_p_action=1&p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3E&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_82_struts_action=%2Flanguage%2Fview&_82_languageId=de_
DE

3. Vulnerable Liferay portal:

Novell Teaming includes a version of Liferay portal with known
vulnerabilities (two cross site scripting flaws):

* Liferay Portal "login" Cross-Site Scripting Vulnerability
  http://secunia.com/advisories/27537/
* Liferay Portal "emailAddress" Cross-Site Scripting
  http://secunia.com/advisories/27821/

-

Proof of concept:
-----------------

No special exploit code is required to exploit this vulnerabilities.


Vulnerable versions:
--------------------

Version 1.0.3 of Novell Teaming is vulnerable to the issues described.
Prior versions are most likely also vulnerable.


Vendor contact timeline:
------------------------

2009-02-19: Vendor informed about vulnerabilities
2009-04-14: Patches available


Patch:
------

The vendor has provided fixes for the issues described. In addition, two
Technical Information Documents containing update instructions have been
released. These can be found at the following URLs:

* TID 7002997
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002997&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

* TID 7002999
http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002999&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1%200%2033084737

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC