Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29736
HistorySep 09, 2013 - 12:00 a.m.

Vulnerabilities in Avaya IP Office Customer Call Reporter

2013-09-0900:00:00
vulners.com
12

Hello 3APA3A!

I want to warn you about vulnerabilities in Avaya IP Office Customer Call Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site Scripting) vulnerabilities.

After I found multiple vulnerabilities in Avaya IP Office Customer Call Reporter in December, I informed ZDI about them (critical ones). ZDI was very slow in processing these holes (regardless of my remindings) and only at 30th of July they begun actively working with them. I wrote about this case with ZDI in WASC Mailing List (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008883.html).

When Avaya ignored my informing in July and ZDI stopped working on this case in August (since Avaya was not responding to them also), I published these two vulnerabilities (the least critical). There are many other vulnerabilities, including critical holes which allow to take control over admin panel, so Avaya still has a chance to get details of vulnerabilities in their product before public disclosure.


Affected products:

Vulnerable are Avaya IP Office Customer Call Reporter 8.0.9.13 (tested in December 2012) and 9.0.0.0 (tested recently) and previous versions.


Affected vendors:

Avaya Inc.
http://www.avaya.com


Details:

Remote HTML Include (Frame Injection) (WASC-12):

http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua

Remote XSS Include (Cross-Site Scripting) (WASC-08):

http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua/webtools/xss_r2.html


Timeline:

2012.12.06 - found multiple vulnerabilities (these ones and other critical holes).
2012.12.13 - informed ZDI about other critical vulnerabilities.
2012.12.18 - again informed ZDI about other critical vulnerabilities.
2013.01.27 - registered at zerodayinitiative.com and informed them through the site. ZDI started working on the case.
2013.07.28 - informed Avaya (via two contact forms) about these holes and other critical vulnerabilities, due to slowness of ZDI.
2013.07.29 - wrote about ZDI in WASC Mailing List.
2013.07.30 - if earlier ZDI only pretended they work on the case, then this time they started working actively on it (and tried to contact Avaya).
2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was not responding.
2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua