OK, so I’m a little annoyed with Symantec. I submitted this vulnerability to them in January of 2008 and they released it last night without chatting with me regarding the advisory. Every vendor I have dealt with up to this point has at least extended that courtesy.
They get it wrong,
“The flaw only allows an attacker to display a message of their choice on the Reporting Server login screen. The attacker does not gain additional access to the Reporting Server program unless the message persuades a trusted user to forward their login credentials to the attacker.”
No. More can be accomplished than just passing text to the user interface. There is more to it. This would process code if you passed it correctly. If you have a look at the screen cap above (click to expand) check a look at the URL and consider your options.
This made me choke on my morning coffee. They released this last night.
To set up an attack, an attacker would either need access to the Reporting Server, or to entice a trusted user to click on a specially crafted link to the Reporting Server.
Right. That’s the only way. (/sarcasm)
Where I get more annoyed is that they list their affected products as only being Symantec Antivirus Corporate Edition, Symantec Client Security and Symantec Endpoint Protection. From my discussions with Symantec (and I have the emails) they indicated that any product in their line that uses this reporting library is affected. After delays, it’s now finally fixed. Although the fix cannot be delivered via LiveUpdate.
Date Submitted: January 17, 2008
Vendor Response: January 18, 2008
Date Fixed: June 2008 date missed by Symantec
Date Fixed: November 2008 date missed by Symantec
Date Fix Released: April 28, 2009
Why did a vulnerability rated as “low” take that long to fix you ask? Damn good question.
This was an annoying experience dealing with Symantec and it’s inability to meet deadlines that it set forth. Being responsible and working with vendors sometimes just isn’t worth the hassle. I think I’ll just submit future finds to ZDI.
Symantec Advisory
Secunia Advisory
Summary
Name: CiscoWorks Arbitrary Code Execution Vulnerability
Release Date: 28 May 2008
Reference: LSD003-2008
Discover: Dave Lewis
CVE Number: CVE-2008-2054
Vendor: Cisco Systems
Systems Affected: CiscoWorks Common Services (various versions): Cisco Unified Operations Manager (CUOM), Cisco Unified Service Monitor (CUSM), CiscoWorks QoS Policy Manager (QPM), CiscoWorks LAN Management Solution (LMS), Cisco Security Manager (CSM), Cisco TelePresence Readiness Assessment Manager (CTRAM)
Risk: High
Status: Published (Vendor Confirmed, Patch Available)
Description
CiscoWorks Common Services versions 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1, and 3.1.1 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability exists due to an unspecified error in CiscoWorks Common Services. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code resulting in complete system compromise.
Impact: Arbitrary code execution with elevated privileges. Fire bad.
TimeLine
Discovered: 14 February 2008
Reported: 14 February 2008
Fixed: 22 April 2008
Patch Release: 28 May 2008
Published: 28 May 2008
Technical Details
The vulnerability exists due to an unspecified error in CiscoWorks Common Services when it processes attacker-supplied URLs. An unauthenticated, remote attacker could exploit this vulnerability through unspecified means to execute arbitrary code with elevated privileges.
Fix Information
This issue has now been resolved.
The patch may be obtained from:
Cisco Advisory
http://www.cisco.com/en/US/products/products_security_advisory09186a00809a1f14.shtml
I would like to thank Cisco for their professional response to this issue.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Summary
Name: Adobe LiveCycle Workflow XSS Vulnerability
Release Date: 11 March 2008
Reference: LSD002-2008
CVE Number: CVE-2008-1202
Discover: Dave Lewis
Vendor: Adobe Systems
Product: LiveCycle Workflow 6.2 Management Web Interface
Systems Affected: version 6.2 (as tested)
NB. Other versions may be affected.
Risk: Important
Status: Published
Reference:
1) http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-…ility/
2) http://www.adobe.com/support/security/bulletins/apsb08-10.html
Time Line
Discovered: 16 January 2008
Reported: 16 January 2008
Fixed: 5 March 2008
Patch Release: 11 March 2008
Published: 11 March 2008
Description
The Adobe LiveCycle Workflow management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack.
Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user and capture usernames/passwords.
Technical Details
Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fix Information
This issue has been resolved.
The patch may be obtained from:
http://www.adobe.com/go/supportportal
Notes
I would like to thank the Adobe team for their attention to this problem and for their professionalism.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Tags: Security Advisory, Advisory, Adobe Systems, Adobe LiveCycle Workflow
Summary
Name: Tripwire Enterprise/Server XSS Vulnerability
Release Date: 29 January 2008
Reference: LSD001-2008
Discover: Dave Lewis
Vendor: Tripwire
Product: Tripwire Enterprise/Server Management Web Interface
Systems Affected: version 7.0 (as tested)
NB. Earlier versions are affected as well. Please upgrade.
Risk: Less Critical
Status: Published
Reference:
http://www.liquidmatrix.org/blog/2008/01/29/advisory-tripwire-…ility/
Description
The Tripwire Enterprise management login page contains a vulnerability which is susceptible to a cross site scripting (XSS) attack.
Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user.
Technical Details
Input passed to the URL of the web management login page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fix Information
This issue has been resolved.
The patch may be obtained from:
http://www.tripwire.com (Patch 866 “te-7.0.0.866_patch.zip”)
Notes
I would like to thank the Tripwire team for their professionalism. I should note that the release of this advisory does not in any way negatively alter my view that Tripwire is a great audit and control suite.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Tags: Security Advisory, Advisory, Triwpire, Tripwire Enterprise
Whoops…my bad. The correct link is here:
http://www.liquidmatrix.org/blog/2008/01/29/advisory-tripwire…ility/
Summary
Name: Websense XSS Vulnerability
Release Date: 10 December 2007
Reference: LSD002-2007
Discover: Dave Lewis
CVE: Pending
Vendor: Websense
Product: Websense Enterprise and Websense Web Security Suite
Systems Affected: version 6.3 (as tested)
Risk: Less Critical
Status: Published
Reference:
http://www.liquidmatrix.org/blog/2007/12/10/advisory-websense-xss-vulnerability/
Time Line
Discovered: 8 November 2007
Reported: 8 November 2007
Fixed: 21 November 2007
Patch Release: 21 November 2007
Published: 10 December 2007
Description
Websense Enterprise and Websense Web Security Suite contain a vulnerability in the login page is susceptible to a cross site scripting (XSS) attack.
Impact: a remote attacker could execute a XSS attack that could pass arbitrary html to the user.
Technical Details
Input passed to the “username” field of the logon page is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
Fix Information
This issue has now been resolved.
The patch may be obtained from:
http://www.websense.com (Hotfix #80)
Knowledge Base #1840
http://www.websense.com/SupportPortal/SupportKbs/1840.aspx
Notes
I would like to thank Dan and the rest of the Websense team for their professionalism. I should note that the release of this advisory was delayed due simply to an errant email.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Tags: Security Advisory, Advisory, Websense, Websense Vulnerability
Summary
Name: Cross Site Scripting in CiscoWorks
Release Date: 05 December 2007
Reference: LSD001-2007
Discover: Dave Lewis
CVE Number: CVE-2007-5582
Vendor: Cisco
Systems Affected: CiscoWorks version 2.6 (as tested)
All prior builds are affected
Risk: Medium
Status: Published (Vendor Confirmed, Patch Available)
Description
The initial CiscoWorks login page is susceptible to XSS attack.
Impact: attackers could execute XSS attacks that can harvest session cookies and username/passwords.
TimeLine
Discovered: 20 August 2007
Reported: 24 September 2007
Fixed: 5 November 2007
Patch Release: 5 December 2007
Published: 5 December 2007
Technical Details
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. Input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session.
Fix Information
This issue has now been resolved.
The patch may be obtained from:
http://www.cisco.com
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sr-20071205-cw.shtml
I would like to thank Cisco for their prompt and professional response to this issue.
Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/
2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3
Thanks: PortSwigger, Wade and pdp.
