SiteScape Forum TCL injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SiteScape Forum TCL injection
From: "lolo lolo" <lolofon@xxxxxxxxx>
Date: Thu, 20 Dec 2007 10:52:43 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=35z/maATcNQoJAQCcFQYu3D5V9Qa85lnGsTfOcmBLeg=; b=DoVaQ6z7VW12+/kMZzVGIJXjFg/Yd/oWa8bXn5TPAEVlCzCq3R4lx13YiAPtiM+dVjXgGzYZ1M4BVOTk1Va6cJrzfYEAq+52Q7qaFqSAMW8QugguqvC/8W0N3NgOyp3rr/75+0VlzW/bN17H07l7mGK16f4RWQFDlJjJzp+RMpQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jJqiT+H+glrlO0Azbu5qFGies9S8MsLviYFnbko9SXqw4l3pQHbaFDfqMYR6JsJTcfpO42oFwPt6QsABcpZSNF6eeWoOArKcwfu8Lg5aiRgQg+yagfID7uYSOuQJNdjE7XMzLVKB/Jw96PDxJZu7EIe+mpCp8uN0m1afEscZ2iU=
In-reply-to: <bf5ae3f00712140435r76912318peca94b67b9b345dd@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <bf5ae3f00712140435r76912318peca94b67b9b345dd@xxxxxxxxxxxxxx>

Hi,
I have following advisory for you.
niekt0@xxxxxxxxxxx

SiteScape Forum TCL injection
================================
discovered by niekt0@xxxxxxxxxxx

PRODUCT: SiteScape Forum

EXPOSURE: TCL injection

SYNOPSIS
========
By URL modification it is possible to insert TCL code into aplication.
Account on target server is not required.

PROOF OF CONCEPT
================
Make a http request in form of

hxxp://support.sitescape.com/forum/support/dispatch.cgi/0;command

You can now enter commands separated by semicolon
There are some restrictions, but exploitation is possible.

SEE ALSO
========
http://farsite.hill.af.mil/forums/area1/dispatch.cgi/_sdk/help/

WORKAROUND
==========
Upgrade to latest version.

VENDOR RESPONSE
===============
"We have developed, tested, and distributed a fix to our current customer
base via our support site. The patch is available here:

https://support.sitescape.com/forum/support/dispatch.cgi/support/docProfile/
176803/

This URL requires a login. Thank you for alerting us."

NOTICE
======
>From sitescape.com :

"SiteScape's flagship product, SiteScape Forum(R), ...
SiteScape collaborative solutions are currently implemented worldwide
in organizations including the US Navy, US Centers for Disease
Control, the European Space Agency, Lockheed Martin..."
;)

Prev by Date: [security bulletin] HPSBTU02300 SSRT071452 rev.1 - HP Tru64 UNIX running FFM, Local Denial of Service (Dos)
Next by Date: [security bulletin] HPSBUX02295 SSRT071333 rev.1 - HP-UX Running rpc.yppasswdd, Remote Denial of Service (DoS)
Previous by thread: [security bulletin] HPSBTU02300 SSRT071452 rev.1 - HP Tru64 UNIX running FFM, Local Denial of Service (Dos)
Next by thread: [security bulletin] HPSBUX02295 SSRT071333 rev.1 - HP-UX Running rpc.yppasswdd, Remote Denial of Service (DoS)
Index(es):
- Date
- Thread