_______________________________________________________________________________
I N F O R M A T I O N A N A R C H Y 2 K 0 1
www.nmrc.org/InfoAnarchy
Nomad Mobile Research Centre
A D V I S O R Y
www.nmrc.org
Cyberiad [cyberiad@nmrc.org]
10May2002
_______________________________________________________________________________
Platforms : Solaris 2.8
Application: Critical Path inJoin V4.0 Directory Server
Severity : Low
Synopsis
--------
This advisory documents cross-site scripting vulnerabilities in the
Web-based administrator interface, named iCon, of the inJoin Directory
Server that allows an attacker with the correct username and password to
inject HTML script and use the server in a cross-site scripting attack.
Details
-------
The administrative web server, iCon, listens on TCP port 1500 and runs
under the ids account. By connecting to this port using a web browser and
entering a correct administrator username and password, an operator can
remotely administer the Directory Server. Testing of various
administrative URL's located situations in which script can be injected
and executed upon rendering of the response. Two examples are as follows,
http://ip:1500/DSASD&DSA=1&LOCID=&FRAME=Y
http://ip:1500/OBCR&OC=&FRAME=Y
Additional URL requests are also thought to be vulnerable. Testing
confirmed that the attack is not successful without the correct
administrator username and password.
Tested configurations
---------------------
Testing was performed with the following configurations:
Critical Path inJoin V4.0 Directory Server
Solaris 2.8
Vendor Response
---------------
Critical Path Inc:
Critical Path was contacted on April 30, 2002 and has implemented
preventative fixes for this issue. A maintenance release to be known as
iCon 4.1.4.7 will be posted on the Critical Path support website at
http://support.cp.net, which is available to supported customers. This
will be within the next few weeks, dependent upon other fixes that need to
be made available in this maintenance release.
Solution/Workaround
-------------------
Filter TCP port 1500 at the border to prohibit public access to the
Directory Server's administrative interface.
Use a strong password on the Directory Server administrator account and
change regularly. Distribute the password to only Directory Server
administrators.
Though administration of the Directory Server over SSL is currently not
supported, Ciritical Path recommends the use of VPN software to mitigate
the risk of disclosure of the administrator username and password. The
next major release of the Critical Path Directory Server will features
SSL-enablement of the web-based management interface.
Comments
--------
This advisory has been released under Information Anarchy -
http://www.nmrc.org/InfoAnarchy/
Copyright
---------
This advisory is Copyright (c) 2002 NMRC - feel free to distribute it
without edits but fear us if you use this advisory in any type of
commercial endeavour.
_______________________________________________________________________________