[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple XSS issues in Sun AnswerBook2
From: B00B00 <ptt () btinternet ! com>
Date: 2005-03-28 19:04:52
Message-ID: 20050328190452.13163.qmail () www ! securityfocus ! com
[Download RAW message or body]
PTT SECURITY ADVISORY
DATE: 08-02-2005
AUTHOR: THOMAS LIAM ROMANIS
CURRENT EMPLOYER: Echelon Ltd
VENDOR: Sun
PRODUCT: Sun AnswerBook2
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].
Summary.
A number of issues have been identified in Sun Answerbook2. The first is AN xss issue \
in the Sun Answerbook2 Search function and the other is an attack vector issue in the \
administrative function for viewing Access and Error log files.
Detail.
1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
This issue could be used for misinformation purposes but probably little else. As a \
result the impact of this issue is likely to be low.
http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+
It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. \
In this case, depending on the function of the server, a more serious exposure could \
result.
2. Administration Attack Vector issue.[CAN-2005-0549]
When the Answerbook2 administrator opts to view the Access log file ( \
/var/log/ab2/logs/access-8888.log) or Error log file ( \
/var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain \
text. As a result a number of different methods could be used to launch attacks \
against the Answerbook2 administrator. For example, If an XSS attempt has been made \
on another part of the application, even if it was not immediately successful, it \
will execute during the display of the Access or Error log files. Thus attacks could \
be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who \
may have escalated privileges on the host operating system.
http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access
Remedial Action.
The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release \
Notes list the feature
removal here:
http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view
Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other \
currently supported
releases of Solaris and they are impacted by this issue. Sun isn't planning on \
producing further patches for
the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends \
disabling AnswerBook2 and
using other sources of documentation, namely the Solaris Documentation CD and online \
formats at
http://docs.sun.com.
The Alert Released by Sun can be found at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic