[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple XSS issues in Sun AnswerBook2
From:       B00B00 <ptt () btinternet ! com>
Date:       2005-03-28 19:04:52
Message-ID: 20050328190452.13163.qmail () www ! securityfocus ! com
[Download RAW message or body]



PTT SECURITY ADVISORY
DATE: 08-02-2005
AUTHOR: THOMAS LIAM ROMANIS
CURRENT EMPLOYER: Echelon Ltd
VENDOR: Sun
PRODUCT: Sun AnswerBook2
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].

Summary.

A number of issues have been identified in Sun Answerbook2. The first is AN xss issue \
in the Sun Answerbook2 Search function and the other is an attack vector issue in the \
administrative function for viewing Access and Error log files.

Detail.

1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
This issue could be used for misinformation purposes but probably little else. As a \
result the impact of this issue is likely to be low. 

http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
 29%3C%2Fscript%3E&Search=+Search+

It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. \
In this case, depending on the function of the server, a more serious exposure could \
result. 

2. Administration Attack Vector issue.[CAN-2005-0549]
When the Answerbook2 administrator opts to view the Access log file ( \
/var/log/ab2/logs/access-8888.log) or Error log file ( \
/var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain \
text. As a result a number of different methods could be used to launch attacks \
against the Answerbook2 administrator. For example, If an XSS attempt has been made \
on another part of the application, even if it was not immediately successful, it \
will execute during the display of the Access or Error log files. Thus attacks could \
be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who \
may have escalated privileges on the host operating system.

http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access

Remedial Action.

The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release \
Notes list the feature 

removal here: 

http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view

Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other \
currently supported 

releases of Solaris and they are impacted by this issue. Sun isn't planning on \
producing further patches for 

the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends \
disabling AnswerBook2 and 

using other sources of documentation, namely the Solaris Documentation CD and online \
formats at 

http://docs.sun.com.

The Alert Released by Sun can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic