AOH :: HP Unsorted P :: VA1260.HTM

Pro2col StingRay FTS login username cross site scripting



Pro2col StingRay FTS login username cross site scripting
Pro2col StingRay FTS login username cross site scripting



Pro2col StingRay FTS login username cross site scripting

scip AG Vulnerability ID 3809 (09/12/2008)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3809 

I. INTRODUCTION

StingRay FTS is a file transfer server for Internet communications.
Customers are able to transfer files or to send emails via the device.

More information is available on the official product web site at the
following URL:

http://pro2col.com/solutions/products/stingray_fts 

II. DESCRIPTION

Marc Ruef at scip AG found an input validation error within the current
release.

The initial logon script at /login.jsp that is not protected by any
authentication procedure can be used to run arbitrary script code within
a cross site scripting attack. Other parts of the application might be
affected too.

--- cut ---

StingRay Login
Benutzername  
Passwort  
 
--- cut --- III. EXPLOITATION Classic script injection techniques and unexpected input data within a browser session can be used to exploit this vulnerabilities. The approach to verify an insecure installation is possible with a simple form input. Use the following string as user name and a wrong passwort for the proof-of-concept: The script injection happens in this line (between the H3 headers) in the file /verify_login.jsp:

Der Benutzer konnte nicht in der Datenbank gefunden werden.

Bitte wiederholen...

The detection of vulnerable hosts is possible via Google hacking too as like Johnny Long has documented in his web database[1]. httprecon supports web fingerprinting for such devices too[2]. A plugin for our open-source exploiting framework Attack Tool Kit (ATK) will be published in the future[3]. IV. IMPACT Because non-authenticated parts of the software are affected, this vulnerability is serious for every secure environment. Non-authenticated users might be able to exploit this flaw to gain elevated privileges (e.g. extracting sensitive cookie information or launch a buffer overflow attack against another web browser). However, as Robert Welz with Pro2col told my via email, the discussed login part should be available on the internal interface only. Because other parts of the application might be affected too - this could include some second order vulnerabilities - a severe attack scenario might be possible. V. DETECTION Detection of web based attacks requires a specialized web proxy and/or intrusion detection system. Patterns for such a detection are available and easy to implement. Usually the mathematical or logical symbols for less-than (<) and greater-than (>) are required to propose a HTML tag. In some cases single (') or double quotes (") are required to inject the code in a given HTML statement. Some implementation of security systems are looking for well-known attack tags as like

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.