Security Advisory on RSA Web ID (XSS)

Advisory Content :

The following security report has been sent to RSA/EMC on the 2/10/2007 and
confirmed by them. RSA took action to alert their customers.

-----------------------------------------

*Description*

The WebID authentication framework suffers from a flow allowing to steal an
authenticated users's session if he is enticed into clicking a malicous
link.

TEST URL :

https://www.yournamehere.com/WebID/IISWebAgentIF.dll?stage=useridandpass
code&referrer=Z2F&sessionid=0&authntype=2&username=a&passcode=a&postdata
=aaa"%20><SCRIPT>alert(document.cookie)</script><!--

*Analysis*

The problem resides in the main library IISWebAgentIF.dll which can usually
be found a the address "http://www.server.com/WebID/IISWebAgentIF.dll" this
entry point accepts many parameters but only the "postdata" parameter has
been found vulnerable.

This parameter is normally sent over a POST method but it is equally
accepted through a GET.

This bug has already been reported and confirmed in April 2005 as
CVE-2005-118 and a security fix has been issued. Nevertheless, it appears
that the fix is poorly implemented as basic circumvention techniques allows
to bypass those security checks.

This parameter is matched against the string ""><SCRIPT". It also seems to
be matched against the string "javascript:" and probably other keywords. If
any of this keywords is matched, the whole value is filtered out from the
input.

The problem resides in the fact that creating a exhaustive list of the
dangerous keywords is very hard, due to the complexity of the modern
scripting codes (HTML, VB, JavaScript etc...).

These examples illustrates how to execute code on the page without
triggering the security mechanisms (could be many more) :

[inserting a newline between the tags]

postdata=aaa%22%3E%0A%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E

[insterting a space between the quotation marks and the closing bracket.]

postdata=aaa%22%20%3E%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E

[using the DIV tag to avoid using the keyword "javascript:" (IE only)]

postdata=aaa%22%3E<DIV%20STYLE="width:expression(alert(document.cookie))
;">

[using VBScript instead of JavaScript (IE only)]

postdata=aaa%22%3E<iframe%20SRC='VBScript:msgbox("XSS")'%20style="visibi
lity:hidden

*Context*

The exploitation of the vulnerability requires an action from the victim
(clicking on a malicious link).

As the bug is accessible prior to the authentication phase, it can be
discovered and exploited without any access to the underlying application.
As the URL denotes the presence of the product, many vulnerable targets can
be found easily (ex google "inurl:IISWebAgentIF.dll" ). Finally, it is
possible to insert comments at the end of the malicious code to make the
victim's page unchanged.

*Affected Software

We have confirmed the existence of this vulnerability in RSA WebID 5.3 +
Security Fix XSS ID 45559. It is suspected that any earlier version is also
vulnerable.

*Recommandation*

It's safer to filter out dangerous characters instead of dangerous
keywords.

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Security Advisory on RSA Web ID (XSS)