NFuse Cross Site Scripting vulnerability

From: Eric Detoisien (eric.detoisien@global-secure.fr)
Date: Wed Mar 27 2002 - 03:44:43 PST

Next message: Gabriel A. Maggiotti: "RCA cable modem Deny of Service"

Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: LDAP Connection Leak in CTI when User Authentication Fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

NFuse provides several jsp (or asp) pages to make a portal. 
In one this page (launch.jsp or launch.asp) it's possible to
use the method getLastError() of the TemplateParser object (in
fact this method is inherited from the WebPNObject object).

The CSS problem comes from the getLastError() method. It does not
filter the URL parameters that cause the problem.

Exemple :
if your launch.jsp contains a bit of code like this :

if (!parser.Parse()) 
{
    out.println("Error: " + parser.getLastError());
}
else
{
...
}	 

With a request like this you can get the cookie with login and 
password (the user must be connected before) :
http://my_nfuse_portal.com/launch.jsp?NFuse_Application=>alert(document.cookie);</script>

This was tested on :
NFuse 1.6 + Apache
NFuse 1.51 + Apache
NFuse 1.6 + Microsoft IIS

Workaround :
Do not print result of GetLastError() or filter the result before.


P.S. : thanks to Sylvain Bartoli and Selim Tahi who participated in testing


Eric DETOISIEN
Consultant Sécurité
GLOBAL SECURE
Web  : http://www.global-secure.fr

Next message: Gabriel A. Maggiotti: "RCA cable modem Deny of Service"
Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: LDAP Connection Leak in CTI when User Authentication Fails"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 13:13:39 PST