none
Vulnerability: Web Server Generic Cross-Site Scripting Vulnerability RRS feed

  • Question

  • A pen test recently ran on our IAG2007 server has come back with the following;

    (I've replaced the URL with the text "URL")

     

    Can anyone comment on whether we should be concerned about this ?  Or if there is a patch/fix for this vulnerability.

    We're running a fully patched up version of IAG2007 as far as I know.

     

    Vulnerability: Web Server Generic Cross-Site Scripting Vulnerability

    (Checks for generic cross-site scripting vulnerability in a web server)

    Service:

    https (443/tcp)

    Synopsis:

    The remote web server is prone to cross-site scripting attacks.

    Description:

    The remote host is running a web server that fails to adequately sanitize request strings of

    malicious Javascript. By leveraging this issue, an attacker may be able to cause arbitrary HTML

    and script code to be executed in a user's browser within the security context of the affected site.

    Details:

    The request string used to detect this flaw was :

    /p62iokl0.asp?<IMG%20SRC="javascript:alert(cross_site_scripting.nasl)

    ">

    The output was :

    HTTP/1.1 200 OK\r

    Connection: close\r

    Date: Wed, 23 Jun 2010 16:08:23 GMT\r

    X-Powered-By: ASP.NET\r

    Cache-Control: no-store\r

    Content-Length: 12443\r

    Content-Type: text/html\r

    Expires: Wed, 23 Jun 2010 16:08:23 GMT\r

    Cache-control: private\r

    Server: Microsoft-IIS/6.0\r

    Set-cookie:

    NLSessionSpinsafe2f=wwgDT0LhJhjCR53cEJxIGSRM6p/OlYwtx48+63pJQGsHLxvYgN9d1V0aAR+rGxENWXZ7Kv

    njhaZrxNaslt5ufhrgHM6fublfl1hD3kEIMEG/puDF2F1jh9bSudkYzJld

    path=/

    secure\r

    \r

    [...]

    \r

    <input type="hidden" name ="site_name" id="

    site_name" value="pinsafe2f">\r

    <input type="hidden" name ="secure" id="secure"

    value="1">\r

    <input type="hidden" name ="orig_url" id="orig_url"

    value="https://URL/p62iokl0.asp?<IMG SRC="javascript:

    alert(cross_site_scripting.nasl)

    ">">\r

    Private & Confidential © 2010 RandomStorm - Proactive Security Management

    24-Jun-2010 09:20 Page 70

    Severity Description

    <input type="hidden" name ="resource_id" id="

    resource_id" value="C66B095BD60649D18ECB79F04C657517">\r

    <input type="hidden" name ="login_type" id="

    login_type" value="2">\r

    [...]

    Remediation advice:

    Contact the vendor for a patch or upgrade.

    CVE References

    CVE-2002-1060

    CVE-2003-1543

    CVE-2005-2453

    CVE-2006-1681

    Bugtraq IDs

    Bugtraq ID 5305

    Bugtraq ID 7344

    Bugtraq ID 7353

    Bugtraq ID 8037

    Bugtraq ID 14473

    Bugtraq ID 17408

    Thursday, June 24, 2010 11:09 AM

Answers

  • Hi Amigo. The file p62iokl0.asp does not have a name that I can identify as belonging to an standard installation of UAG. Have you customized or integrated a thrid-party component (maybe one for authentication) into the InternalSite? If so, did you extend the URL Set with regular expressions for handling parameters and so on?

    Regards


    // Raúl - I love this game
    • Marked as answer by Erez Benari Tuesday, June 29, 2010 8:56 PM
    Thursday, June 24, 2010 4:47 PM

All replies

  • Hi Amigo. The file p62iokl0.asp does not have a name that I can identify as belonging to an standard installation of UAG. Have you customized or integrated a thrid-party component (maybe one for authentication) into the InternalSite? If so, did you extend the URL Set with regular expressions for handling parameters and so on?

    Regards


    // Raúl - I love this game
    • Marked as answer by Erez Benari Tuesday, June 29, 2010 8:56 PM
    Thursday, June 24, 2010 4:47 PM
  • Hi Raúl,

    Yes you are correct, we have implemented a third party authentication mechanism into the InternalSite.  I should have seen that the issue lies there.  I did indeed extend the URL set with regular expressions for handling parameters etc.

    I'm guessing that I should take this up with the third party that supplied the custom script ?

    Erin

    Monday, June 28, 2010 3:59 PM
  • Hi Raúl,

    Yes you are correct, we have implemented a third party authentication mechanism into the InternalSite.  I should have seen that the issue lies there.  I did indeed extend the URL set with regular expressions for handling parameters etc.

    I'm guessing that I should take this up with the third party that supplied the custom script ?

    Erin


    I would ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, June 28, 2010 9:41 PM
    Moderator