SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Cobalt RaQ Control Panel Cross Site Scripting Date: Oct 4 2003 10:46AM Author: Lorenzo Hernandez Garcia-Hierro Message-ID: <005501c38a65$03067270$050010ac@rootserver> Cobalt RaQ Control Panel Cross Site Scripting ------ PRODUCT: Cobalt RaQ Web Control Panel VENDOR: Sun - Cobal Networks VULNERABLE VERSIONS: - Sun Cobalt RaQ Servers Web Control Panel (T.I.N.P) - Tested in a default configurated Sun Cobalt RaQ server. control panel - Sun Cobalt servers using the web based control panel(T.I.N.P) - Sun Cobalt RaQ 550 Server Appliance --------------------- N.TED = Not Tested in a Real Site / Production Site T.I.N.P = Tested in Non Production Environment ____________ Description: Sun Cobalt RaQ 550 server appliance integrates the hardware, software, database and development tools needed to deploy applications extremely quickly without any prior server experience. --------------------------------------------- |SECURITY HOLES FOUND and PROOFS OF CONCEPT:| --------------------------------------------- I found XSS vulnerabilities in the web based Control Panel of Cobalt RaQ Servers , with this hole you can try to get the target user information trough the cgi script called message.cgi by including script code in the info= variable value. The script is used for the output of system and control messages like help messages ( "hints" of rollovers for help the user about things of the control panel ) . In addition the ssl support is not enabled for the control panel of users. Cobalt Servers are possible affected by the last security hole found in OpenSSL. --------- | XSS | --------- Using the following encoded script: %3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E And accessing a vulnerable control panel of a Cobalt RaQ server pointing this address: HTTP://[HOST NAME / DOMAIN]:[PORT: 81 ]/cgi-bin/.cobalt/message/message.cgi?info=[SCRIPT / XSS CODE] A working demo of this can be : http://w-0.h2oformum.foo:81/cgi-bin/.cobalt/message/message.cgi?info=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E This will include the %3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E code in the output and when the web browser executes it you get a message box: ----JavaScript Application---- | XSS ! | ------------------------------ Thats all , simple and fast but Control Panel doesn't use cookies for keep the passwords , this can be used for get the domain cookies if it is used by other applications,although it is a security hole because it demonstrates that the message.cgi script does not have an input validation system. --------------------------------- | SSL SUPPORT NOT PRESENT IN CP | --------------------------------- I observed that the ssl support is not enabled for the web server running the control panel ( default webserver of cobalt raq control panel ) but the banner is this: Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b mod_auth_pam_external/0.1 mod_perl/1.25 You can try to access but you get nothing ( error connecting ). Yhis is a problem because it uses basic auth and if some body get this: GET /.cobalt/siteManage/www.blah.com/ HTTP/1.1 Host: tobeornottobeavulnerablehost.foo:81 User-Agent: Mozilla/5.0 Mozilla Firebird/0.6.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cache-Control: max-age=0, max-age=0 Authorization: Basic dGVzdDp0ZXN0 HTTP/1.x 200 OK Date: Fri, 03 Oct 2003 13:37:54 GMT Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b mod_auth_pam_external/0.1 mod_perl/1.25 Keep-Alive: timeout=300 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html Look at Authorization: Basic dGVzdDp0ZXN0 , it is base64 encoded , decoded value is: test:test ------------------------------ | LAST OPENSSL SECURITY HOLE | ------------------------------ I think that the version that i checked is affected by the last OpenSSL secu rity hole. I haven't tested this but the OpenSSL version is included in the vulnerable versions range. ----------------- | VENDOR STATUS | ----------------- 10 October 2003 ~~~~ Ok -> Warned / Contacted ~~~~ Mails sent to security-alert sun com . ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Security Consultant --- ------------------NSRGroup------------------- PGP: Keyfingerprint D185 3555 8ECD 3921 6B21 ACC6 CEBB 2826 4B4C 283E ID: 0x4B4C283E Size: 4096 ********************************** NSRGroup ( No Secure Root Group Security Research Team ) / ( NovaPPC Security Research Group ) http://www.nsrg-security.com ______________________ Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus