Security Advisory on RSA Web ID (XSS)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Security Advisory on RSA Web ID (XSS)
From: quentin.berdugo@xxxxxxxxx
Date: 17 Mar 2008 14:58:08 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

The following security report has been sent to RSA/EMC on the 2/10/2007 and 
confirmed by them. RSA took action to alert their customers.

-----------------------------------------



*Description*
The WebID authentication framework suffers from a flow allowing to steal an 
authenticated users's session if he is enticed into clicking a malicous link.

TEST URL :
https://www.yournamehere.com/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&authntype=2&username=a&passcode=a&postdata=aaa"%20><SCRIPT>alert(document.cookie)</script><!--

*Analysis*
The problem resides in the main library IISWebAgentIF.dll which can usually be 
found a the address "http://www.server.com/WebID/IISWebAgentIF.dll"; this entry 
point accepts many parameters but only the "postdata" parameter has been found 
vulnerable.
This parameter is normally sent over a POST method but it is equally accepted 
through a GET.

This bug has already been reported and confirmed in April 2005 as CVE-2005-118 
and a security fix has been issued. Nevertheless, it appears that the fix is 
poorly implemented as basic circumvention techniques allows to bypass those 
security checks.

This parameter is matched against the string ""><SCRIPT". It also seems to be 
matched against the string "javascript:" and probably other keywords. If any of 
this keywords is matched, the whole value is filtered out from the input.
The problem resides in the fact that creating a exhaustive list of the 
dangerous keywords is very hard, due to the complexity of the modern scripting 
codes (HTML, VB, JavaScript etc...).

These examples illustrates how to execute code on the page without triggering 
the security mechanisms (could be many more) :

[inserting a newline between the tags]
postdata=aaa%22%3E%0A%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E

[insterting a space between the quotation marks and the closing bracket.]
postdata=aaa%22%20%3E%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E

[using the DIV tag to avoid using the keyword "javascript:" (IE only)]
postdata=aaa%22%3E<DIV%20STYLE="width:expression(alert(document.cookie));">

[using VBScript instead of JavaScript (IE only)]
postdata=aaa%22%3E<iframe%20SRC='VBScript:msgbox("XSS")'%20style="visibility:hidden


*Context*
The exploitation of the vulnerability requires an action from the victim 
(clicking on a malicious link).
As the bug is accessible prior to the authentication phase, it can be 
discovered and exploited without any access to the underlying application. As 
the URL denotes the presence of the product, many vulnerable targets can be 
found easily (ex google "inurl:IISWebAgentIF.dll" ). Finally, it is possible to 
insert comments at the end of the malicious code to make the victim's page 
unchanged.


*Affected Software
We have confirmed the existence of this vulnerability in RSA WebID 5.3 + 
Security Fix XSS ID 45559. It is suspected that any earlier version is also 
vulnerable.

*Recommandation*
It's safer to filter out dangerous characters instead of dangerous keywords.

Prev by Date: raidsonic nas-4220 crypt disk key leak (stored in plain on unencrypted partition)
Next by Date: [SECURITY] [DSA 1493-2] New sdl-image1.2 packages fix arbitrary code execution
Previous by thread: raidsonic nas-4220 crypt disk key leak (stored in plain on unencrypted partition)
Next by thread: [SECURITY] [DSA 1493-2] New sdl-image1.2 packages fix arbitrary code execution
Index(es):
- Date
- Thread