Security Research Advisory IBM inotes 9 Active Content Filtering Bypass



Similar documents
Security Research Advisory SugarCRM Cross-Site Scripting Vulnerability

HTTPParameter Pollution. ChrysostomosDaniel

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Hack Proof Your Webapps

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

A Tale of the Weaknesses of Current Client-side XSS Filtering

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Web Application Security

Security Research Advisory

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Security features of ZK Framework

Project 2: Web Security Pitfalls

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

SQL INJECTION IN MYSQL

Attack Vector Detail Report Atlassian

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web application security

Magento Security and Vulnerabilities. Roman Stepanov

Check list for web developers

Web-Application Security

Security Testing with Selenium

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

EECS 398 Project 2: Classic Web Vulnerabilities

The Top Web Application Attacks: Are you vulnerable?

Cross Site Scripting in Joomla Acajoom Component

Cross-Site Scripting

Intrusion detection for web applications

Webapps Vulnerability Report

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Cross Site Scripting Prevention

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Recent Advances in Web Application Security

Developing ASP.NET MVC 4 Web Applications MOC 20486

Penetration Test Report

OWASP TOP 10 ILIA

A Tale of the Weaknesses of Current Client-Side XSS Filtering

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Chapter 1 Web Application (In)security 1

Where every interaction matters.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Web Application Report

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Universal XSS via IE8s XSS Filters

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

How To Fix A Web Application Security Vulnerability

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Best Practices for Rich Media Ads in Asynchronous Ad Environments

Analysis of Browser Defenses against XSS Attack Vectors

Web Application Guidelines

Testing the OWASP Top 10 Security Issues

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Practical Exploitation Using A Malicious Service Set Identifier (SSID)

AppDefend Application Firewall Overview

Web application testing

Defending against XSS,CSRF, and Clickjacking David Bishop

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Ruby on Rails Secure Coding Recommendations

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Pwning Intranets with HTML5

Attacks on Clients: Dynamic Content & XSS

Developing ASP.NET MVC 4 Web Applications

MANAGED SECURITY TESTING

(WAPT) Web Application Penetration Testing

Web application security: automated scanning versus manual penetration testing.

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Exploits: XSS, SQLI, Buffer Overflow

Unbreakable ABAP? Vulnerabilities in custom ABAP Code Markus Schumacher, Co-Founder Virtual Forge GmbH

Adding Value to Automated Web Scans. Burp Suite and Beyond

Columbia University Web Security Standards and Practices. Objective and Scope

elearning for Secure Application Development

JBoss security: penetration, protection and patching. David Jorm

DIPLOMA IN WEBDEVELOPMENT

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Network Security Exercise #8

The Dark Side of Ajax. Jacob West Fortify Software

IBM Advanced Threat Protection Solution

Web Application Security Assessment and Vulnerability Mitigation Tests

BYOD Guidance: Architectural Approaches

Application security testing: Protecting your application and data

What is Web Security? Motivation

Ethical Hacking Penetrating Web 2.0 Security

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Transcription:

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7

Active Content Filtering Bypass Advisory Number SN-13-01 Severity Software Versions Accessibility CVE Author(s) H IBM inotes 9 Remote Vendor URL ibm.com/software/products/inotes CVE-2013-3032 CVE-2013-3990 Advisory URL Luca De Fulgentis Date Details 07/2013 Vulnerabilities Discovered 07/2013 Vendor Disclosure 08/2013 Security Bulletin Published 08/2013 Public Disclosure Summary IBM inotes is a web based version of the IBM Notes Client software. It interacts with IBM Domino providing collaboration tools using a variety of Web browsers across multiple platforms. IBM inotes allows to access Domino-based mail, calendar, schedule, to-do list, contacts, and notebook (Notes Journal) from any web-browser. It uses dynamic HTML and Ajax to provide a rich user-experience while minimizing the number of full-page refreshes and transactions interacting with the Domino web server. Vulnerability Details IBM inotes is prone to Active Content Filtering (ACF) Bypass, which results in Stored Cross-Site Scripting. The vulnerability could be further employed to realize Session Hijacking attacks or to create a persistent access to the victim mailbox adding a forwarding rule to an attacker controlled email address by means of Cross- Site Request Forgery.

Technical Details Description IBM inotes renders email messages in a browser window realized with HTML elements. To avoid the HTML content eventually present in email messages to interfere with the inotes interface and logic, it adopts a technology known as Active Content Filtering (ACF). ACF aims to transform potentially insecure content either by transforming it in harmless content (e.g., comments) or by removing the unsafe portions. IBM inotes adopts both the techniques: Comments JavaScript code specified by the <script> tag; Strips JavaScript related attributes such as onclick, onmouseover and similar. However, it has been found that for a specific payload, the ACF mechanism fails to protect the HTML content, allowing an attacker to inject JavaScript content by means of HTML attributes. Here follows a proof-of-concept aiming to exemplify the issue. HTML code provided as input to IBM inotes: <img src= < onerror=alert(1)src=x> HTML code obtained as a result: <img < onerror=alert(1) src=x> As shown, in this case the src= string has been removed from the HTML code, resulting in an improperly sanitized result which contains the onerror attribute that allows an attacker to inject JavaScript code in the inotes webpage. To demonstrate the effectiveness of this technique, a real example taken from an HTTP response generated by IBM inotes is shown in the next page.

Figure 1 - HTTP response showing the ACF Bypass. The ACF bypass can be effectively abused to perform stored XSS attacks against inotes users, as shown in Figure 2. Figure 2 Stored Cross-Site Scripting against IBM inotes.

In a real-world attack scenario, the bug could not only be exploited to perform Session Hijacking but also combined with Cross-Site Request Forgery (CSRF) to add a new e-mails forwarding rule to the victim's inotes application, thus effectively backdooring the victim's mailbox. As an additional aggravating factor, the mail preview mechanism, if enabled, implies that the victim is not required to open the message in order to trigger the execution of JavaScript code - greatly reducing the required user iteration.

Legal Notices Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating with software developers for properly handling disclosure issues. This advisory is copyright 2013 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to Secure Network. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible. e-mail info@securenetwork.it phone +39 02 917 730 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information