Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31252
HistoryOct 15, 2014 - 12:00 a.m.

[RT-SA-2013-003] Endeca Latitude Cross-Site Scripting

2014-10-1500:00:00
vulners.com
23
JSON

Advisory: Endeca Latitude Cross-Site Scripting

RedTeam Pentesting discovered a Cross-Site Scripting (XSS)
vulnerability in Endeca Latitude. By exploiting this vulnerability an
attacker is able to execute arbitrary JavaScript code in the context
of other Endeca Latitude users.

Details

Product: Endeca Latitude
Affected Versions: 2.2.2, potentially others
Fixed Versions: N/A
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: N/A
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003
Advisory Status: published
CVE: CVE-2014-2400
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400

Introduction

Endeca Latitude is an enterprise data discovery platform for advanced,
yet intuitive, exploration and analysis of complex and varied data.
Information is loaded from disparate source systems and stored in a
faceted data model that dynamically supports changing data. This
integrated and enriched data is made available for search, discovery,
and analysis via interactive and configurable applications.

(from the vendor's homepage)

More Details

Endeca Latitude offers administrators to trigger different functions by
using the following two URLs (see [1]):

When accessing such an URL which uses an invalid value for the HTTP GET
parameter "op", such as
http://example.com/config?op=RedTeam%20Pentesting, an error message is
shown by the webapplication and the invalid value is directly embedded
into the document without prior escaping, which leads to a Cross-Site
Scripting vulnerability.

Proof of Concept

As shown by the following URL, an attacker is able to embed arbitrary
JavaScript code into the context of the Endeca Latitude instance:

http://example.com/config?op=&lt;script&gt;alert&#40;&#39;RedTeam Pentesting');</script>

Workaround

The vendor did not update the vulnerable software, but recommends to
configure all installations to require mutual authentication using TLS
certificates for both servers and clients, while discouraging users from
installing said client certificates in browsers.

Fix

Not available. The vendor did not update the vulnerable software to
remedy this issue.

Security Risk

The vulnerability can be used to embed arbitrary JavaScript code and
therefore offers a wide range of possible attacks such as stealing
cookies or displaying a fake login form. Furthermore, an attacker can use
this vulnerability to control the Endeca Latitude instance by using the
API implemented by its web service (see [2]). The risk of this
vulnerability is therefore considered to be high.

Timeline

2013-10-06 Vulnerability identified
2013-10-08 Customer approved disclosure to vendor
2013-10-15 Vendor notified
2013-10-17 Vendor responded that investigation/fixing is in progress
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
CPU
2014-03-13 Vendor responded with additional information about a
potential workaround
2014-04-15 Vendor releases Critical Patch Update Advisory with little
information on the proposed fix
2014-04-16 More information requested from vendor
2014-05-02 Vendor responds with updated information
2014-06-25 Advisory released

References

[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html
[2] http://docs.oracle.com/cd/E29220_01/index.htm

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

– RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschaftsfuhrer: Patrick Hof, Jens Liebchen

Related

packetstorm 1
prion 2
cve 2
oracle 1
securityvulns 1
packetstorm
packetstorm
Endeca Latitude 2.2.2 Cross Site Scripting
2014-06-25 00:00:00
prion
prion
Design/Logic Flaw
2014-04-16 01:55:00
Design/Logic Flaw
2014-04-16 01:55:00
cve
cve
CVE-2014-2400
2014-04-16 01:55:00
CVE-2014-2399
2014-04-16 01:55:00
oracle
oracle
Oracle Critical Patch Update - April 2014
2014-04-15 00:00:00
securityvulns
securityvulns
Oracle / Sun / MySQL / PeopleSoft / OpenJDK applications multiple security vulnerabilities
2014-05-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:31252
packetstorm1prion2cve2oracle1securityvulns1