SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Directory)  >   InJoin Directory Server Vendors:   Critical Path
Critical Path inJoin Directory Server 'iCon' Management Interface Allows Cross-Site Scripting Attacks Against Administrators
SecurityTracker Alert ID:  1004276
SecurityTracker URL:  http://securitytracker.com/id/1004276
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 10 2002
Impact:   Modification of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0
Description:   An input filtering flaw was reported in Critical Path's 'iCon' web-based administration inteface for their inJoin directory server. A remote user can conduct cross-site scripting attacks against authenticated iCon administrators.

Nomad Mobile Research Centre reported that a remote user can conduct cross-site scripting attacks against authenticated iCon administrators. Several URLs allow user-supplied scripting to be injected and then executed when the server displays the resulting response.

Two demonstration exploit examples are provided:

http://ip:1500/DSASD&DSA=1&LOCID=<script>^ .</script>&FRAME=Y
http://ip:1500/OBCR&OC=<script>^ .</script>&FRAME=Y

According to the report, other URL requests may also be vulnerable.

A remote user could create HTML containing malicious URLs that, when loaded by the target (victim) user, will cause arbitrary scripts to be executed by the target user's browser if the target user has already been authenticated to the iCon server. The code will appear to originate from the iCon server and will run in the security context of that server. The scripts can then take actions acting as the target user (i.e., an iCon administrator), performing administrative functions.

Impact:   A remote user can conduct cross-site scripting attacks against iCon administrators. A remote user can create HTML containing malicious scripts such that, when the HTML is loaded by an iCon administrator that is currently logged into the iCon system, will execute the remote user's arbitrary scripts. The scripts will be able to take actions acting as an authenticated iCon administrator.
Solution:   No solution was available at the time of this entry. However, the vendor has reportedly prepared a fix (iCon 4.1.4.7) to be posted on the Critical Path support website when available:

http://support.cp.net

The release should be available within "a few weeks."

Vendor URL:  www.cp.net/solutions/platform-ims-directory.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Solaris 8

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Two (2) Critical Path inJoin V4.0 Directory Server Issues


Per our policy at http://www.nmrc.org/advise/policy.txt, we are releasing
these advisories as these are not high priority and the vendor has a fix
that is scheduled to be released soon.  In an effort to save bandwidth,
both advisories are in this single email.  NMRC will see you at DefCon in
Las Vegas!

_______________________________________________________________________________

                 I N F O R M A T I O N  A N A R C H Y  2 K 0 1
                          www.nmrc.org/InfoAnarchy

                        Nomad Mobile Research Centre
                              A D V I S O R Y
                               www.nmrc.org
                        Cyberiad [cyberiad@nmrc.org]
                                 10May2002
_______________________________________________________________________________

         Platforms  : Solaris 2.8
         Application: Critical Path inJoin V4.0 Directory Server
         Severity   : Medium

Synopsis
--------

This advisory documents a web traversal vulnerability in the Web-based
administrator interface, named iCon, of the inJoin Directory Server that
allows an attacker with the correct username and password to read any file
accessible to the ids user.


Details
-------

The administrative web server, iCon, listens on TCP port 1500 and runs
under the ids account. By connecting to this port using a web browser and
entering a correct administrator username and password, an operator can
remotely administer the Directory Server and view log entries. The URL
used to view log entries is of the form.


  http://ip:1500/CONF&LOG=iCon.err&NOIH=no&FRAMES=y


The value of the file= parameter refers to a file named iCon.err.
Unfortunately, no checks are performed on the location of this value.
Therefore, an authenticated user can replace the file= parameter with the
absolute path to a filename and read the contents. For example, the
following request returns the /etc/passwd file,


  http://ip:1500/CONF&LOG=/etc/passwd&NOIH=no&FRAMES=y


Only those files that can be read by the ids account are accessible. For
example, by default, /etc/shadow cannot be retrieved. Testing confirmed
that the attack is not successful without the correct administrator
username and password.


Tested configurations
---------------------

Testing was performed with the following configurations:

  Critical Path inJoin V4.0 Directory Server
  Solaris 2.8


Vendor Response
---------------

Critical Path Inc:

Critical Path was contacted on April 30, 2002 and has implemented
preventative fixes for this issue.  A maintenance release to be known as
iCon 4.1.4.7 will be posted on the Critical Path support website at
http://support.cp.net, which is available to supported customers.  This
will be within the next few weeks, dependent upon other fixes that need to
be made available in this maintenance release.


Solution/Workaround
-------------------

Filter TCP port 1500 at the border to prohibit public access to the
Directory Server's administrative interface.

Use a strong password on the Directory Server administrator account and
change regularly. Distribute the password to only Directory Server
administrators.

Modify permissions on sensitive files to prohibit access by the ids user.

Though administration of the Directory Server over SSL is currently not
supported, Ciritical Path recommends the use of VPN software to mitigate
the risk of disclosure of the administrator username and password. The
next major release of the Critical Path Directory Server will features
SSL-enablement of the web-based management interface.


Comments
--------

This advisory has been released under Information Anarchy -
http://www.nmrc.org/InfoAnarchy/


Copyright
---------

This advisory is Copyright (c) 2002 NMRC - feel free to distribute it
without edits but fear us if you use this advisory in any type of
commercial endeavour.


_______________________________________________________________________________

_______________________________________________________________________________

                 I N F O R M A T I O N  A N A R C H Y  2 K 0 1
                          www.nmrc.org/InfoAnarchy

                        Nomad Mobile Research Centre
                              A D V I S O R Y
                               www.nmrc.org
                        Cyberiad [cyberiad@nmrc.org]
                                 10May2002
_______________________________________________________________________________

         Platforms  : Solaris 2.8
         Application: Critical Path inJoin V4.0 Directory Server
         Severity   : Low

Synopsis
--------

This advisory documents cross-site scripting vulnerabilities in the
Web-based administrator interface, named iCon, of the inJoin Directory
Server that allows an attacker with the correct username and password to
inject HTML script and use the server in a cross-site scripting attack.


Details
-------

The administrative web server, iCon, listens on TCP port 1500 and runs
under the ids account. By connecting to this port using a web browser and
entering a correct administrator username and password, an operator can
remotely administer the Directory Server. Testing of various
administrative URL's located situations in which script can be injected
and executed upon rendering of the response. Two examples are as follows,




Additional URL requests are also thought to be vulnerable. Testing
confirmed that the attack is not successful without the correct
administrator username and password.


Tested configurations
---------------------

Testing was performed with the following configurations:

  Critical Path inJoin V4.0 Directory Server
  Solaris 2.8


Vendor Response
---------------

Critical Path Inc:

Critical Path was contacted on April 30, 2002 and has implemented
preventative fixes for this issue.  A maintenance release to be known as
iCon 4.1.4.7 will be posted on the Critical Path support website at
http://support.cp.net, which is available to supported customers.  This
will be within the next few weeks, dependent upon other fixes that need to
be made available in this maintenance release.


Solution/Workaround
-------------------

Filter TCP port 1500 at the border to prohibit public access to the
Directory Server's administrative interface.

Use a strong password on the Directory Server administrator account and
change regularly. Distribute the password to only Directory Server
administrators.

Though administration of the Directory Server over SSL is currently not
supported, Ciritical Path recommends the use of VPN software to mitigate
the risk of disclosure of the administrator username and password. The
next major release of the Critical Path Directory Server will features
SSL-enablement of the web-based management interface.


Comments
--------

This advisory has been released under Information Anarchy -
http://www.nmrc.org/InfoAnarchy/


Copyright
---------

This advisory is Copyright (c) 2002 NMRC - feel free to distribute it
without edits but fear us if you use this advisory in any type of
commercial endeavour.


_______________________________________________________________________________




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC