Cobalt RaQ Control Panel Cross Site Scripting
Cobalt RaQ Control Panel Cross Site Scripting
------
PRODUCT: Cobalt RaQ Web Control Panel
VENDOR: Sun - Cobal Networks
VULNERABLE VERSIONS:
- Sun Cobalt RaQ Servers Web Control Panel (T.I.N.P)
- Tested in a default configurated Sun Cobalt RaQ server. control
panel
- Sun Cobalt servers using the web based control panel(T.I.N.P)
- Sun Cobalt RaQ 550 Server Appliance
---------------------
N.TED = Not Tested in a Real Site / Production Site
T.I.N.P = Tested in Non Production Environment
____________
Description:
Sun Cobalt RaQ 550 server appliance integrates the hardware, software,
database and development tools needed to deploy applications extremely
quickly without any prior server experience.
---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------
I found XSS vulnerabilities in the web based Control Panel of
Cobalt RaQ Servers , with this hole you can try to get the target
user information trough the cgi script called message.cgi by
including script code in the info= variable value.
The script is used for the output of system and control messages like
help messages ( "hints" of rollovers for help the user about things of the
control panel ) .
In addition the ssl support is not enabled for the control panel of users.
Cobalt Servers are possible affected by the last security hole found in
OpenSSL.
---------
| XSS |
---------
Using the following encoded script:
%3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E
And accessing a vulnerable control panel of a Cobalt RaQ server pointing
this address:
HTTP://[HOST NAME / DOMAIN]:[PORT:
81 ]/cgi-bin/.cobalt/message/message.cgi?info=[SCRIPT / XSS CODE]
A working demo of this can be :
http://w-0.h2oformum.foo:81/cgi-bin/.cobalt/message/message.cgi?info=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E
This will include the %3Cscript%3Ealert%28%27XSS%27%29%3B%3C/script%3E code
in the output and
when the web browser executes it you get a message box:
----JavaScript Application----
| XSS ! |
------------------------------
Thats all , simple and fast but Control Panel doesn't use cookies for keep
the passwords ,
this can be used for get the domain cookies if it is used by other
applications,although
it is a security hole because it demonstrates that the message.cgi script
does not have
an input validation system.
---------------------------------
| SSL SUPPORT NOT PRESENT IN CP |
---------------------------------
I observed that the ssl support is not enabled for the web server running
the control panel
( default webserver of cobalt raq control panel )
but the banner is this:
Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25
You can try to access but you get nothing ( error connecting ).
Yhis is a problem because it uses basic auth and if some body get this:
GET /.cobalt/siteManage/www.blah.com/ HTTP/1.1
Host: tobeornottobeavulnerablehost.foo:81
User-Agent: Mozilla/5.0 Mozilla Firebird/0.6.1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0, max-age=0
Authorization: Basic dGVzdDp0ZXN0
HTTP/1.x 200 OK
Date: Fri, 03 Oct 2003 13:37:54 GMT
Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b
mod_auth_pam_external/0.1 mod_perl/1.25
Keep-Alive: timeout=300
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Look at Authorization: Basic dGVzdDp0ZXN0 , it is base64 encoded , decoded
value is:
test:test
------------------------------
| LAST OPENSSL SECURITY HOLE |
------------------------------
I think that the version that i checked is affected by the last OpenSSL secu
rity hole.
I haven't tested this but the OpenSSL version is included in the vulnerable
versions range.
-----------------
| VENDOR STATUS |
-----------------
10 October 2003
~~~~
Ok -> Warned / Contacted
~~~~
Mails sent to security-alert@xxxxxxx .
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Security Consultant ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
D185 3555 8ECD 3921 6B21 ACC6 CEBB 2826 4B4C 283E
ID: 0x4B4C283E
Size: 4096
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://www.nsrg-security.com
______________________