<<< Date Index >>>     <<< Thread Index >>>

Hopeless comments regarding the pointless "HP System Management Homepage (SMH) Unspecified XSS"



=====================================================================================
Hopeless comments regarding the pointless 
"HP System Management Homepage (SMH) Unspecified XSS"

August 25, 2008

=====================================================================================
[Overview]

Since HP does not provide technical details in its security bulletins, it is 
really
difficult to track vulnerabilities and patches.

In the last few years several Cross Site Scripting vulnerabilities were 
reported 
against the HP System Management Homepage (SMH), however no technical details 
were
provided and it is still difficult to understand the real entity of this issue.
Whenever you search for information regarding this weakness in the public 
vulnerability 
databases, you can just read tons of incomplete or overlapped descriptions.

In order to understand the essence of the problem, have a look at:
http://www.securityfocus.com/bid/25953
Although it is ages away from being useful, it gives a compact overview of the 
flaw. 

This is the most useless indeed:
http://www.securityfocus.com/bid/24256

This document discusses three attack vectors found on the HP System Management 
Homepage(SMH).

=====================================================================================
[Impact]

Cross Site scripting (XSS)
 
Since it is a web management console, the Cross Site Scripting vulnerability 
has a
medium/high impact whenever it can be exploited.

=====================================================================================
[Technical Details] 

HP System Management Homepage (SMH) is prone to a XSS vulnerability because it 
fails to check the input parameter used to show a generic error message.

The vulnerability affects the "message.php" script. In detail, this page uses 
the 
JavaScript property "location.search" in order to create a contextual error 
message.
If the error ID provided in the URL does not match any valid code, a generic 
error 
is reported ("An unknown error (%INVALID_CODE%) occurred") instead. 

In the first versions of the HP System Management Homepage (probably <= 2.1.1) 
there
is a client-side only input validation:

<--- cut here --->
// handle possible active content in the pieces of the query string
   for(i=0; i<splitquery.length; i++)
   {
      splitquery[i] = unescape(splitquery[i]);
      splitquery[i] = splitquery[i].replace("\<script\>", "");
      splitquery[i] = splitquery[i].replace("\<\/script\>", "");
   }
<--- cut here --->

As you can see, the validation is obviously prone to fail.
Since it is not performed a global matching but just the first occurrence is 
replaced, 
it is trivial to bypass this control and successfully exploit the flaw.
Moreover we have to remember that multiple attack vectors without the HTML 
"SCRIPT" tag
exist in this situation.

In the second generation (for sure, after the version 2.1.4), finally a server 
side
validation was introduced. Unfortunately a simple NULL byte (%00) is enough
to bypass this checkpoint and provides the "location.search" as in the previous
vulnerable versions.
The version 2.1.11 is patched against this vulnerability.

The server side validation introduced in the second generation appears to be a 
black-list
based filter. All HTML tags tested were blocked by the filter. However the 
'<BGSOUND>' tag
has not been included in the black-list and it bypasses the server-side 
validation.
As reported by Rsnake in his XSS Cheat Sheet,'<BGSOUND>' tag is a valid attack 
vector in 
certain versions of Opera.

The latest version (2.1.12) has not yet been tested for this vector. Since only 
Opera
users are likely to be affected, the associated risk is relatively low.

=====================================================================================
[Vulnerable Versions] 

According to our analysis, this is probably the most comprehensive list: 

HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7 (TESTED for 2nd, 3rd vector)
HP System Management Homepage 2.1.6
HP System Management Homepage 2.1.5 (TESTED for 2nd, 3rd vector)
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2 (TESTED for 1st vector)
HP System Management Homepage 2.0.1 (TESTED for 1st vector)
HP System Management Homepage 2.0
HP HP-UX B.11.31
HP HP-UX B.11.23
HP HP-UX B.11.11

HP System Management Homepage 2.1.11 
HP System Management Homepage 2.1.12 are NOT vulnerable using the 1st and 2nd 
vector.

=====================================================================================
[Exploit]

1st vector)
https://<IP>:2381/message.php?<script><script>alert('xss')</script></script>

2nd vector)
https://<IP>:2381/message.php?aa%00<script><script>alert('xss')</script></script>

3rd vector)
https://<IP>:2381/message.php?aa<BGSOUND SRC="javascript:alert('XSS');">

=====================================================================================
[Credits] 

Luca Carettoni (luca.carettoni[at]ikkisoft[dot]com) - http://www.ikkisoft.com/
Claudio Criscione (claudio[at]criscio[dot]net) - http://www.oversighting.com/
Lavakumar Kuppan (lavakumark[at]gmail[dot]com) - http://www.lavakumar.com/

=====================================================================================