Security Update 6-29-2009
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) Vulnerabilities in Dashboard, Open, and Browse Actions
Hannon Hill rates the severity of these vulnerabilities as
Moderate. The vulnerabilities allow an attacker to make victims
his/her privileges; but they require the attacker to manipulate
victims using social engineering tactics. If the attacker already
had Cascade credentials, he/she could embed a malicious link in
frequently visited content to more easily manipulate victims into
navigating to it.
The underlying vulnerability is that user input is returned
verbatim in the browser when the search query supplied by the user
is not parsable.
An attacker without access to Cascade could manipulate victims
when navigating to the the Cascade search action.
An example link would be:
An attacker with access to Cascade could embed a link to the
prominent place within Cascade page content to more easily
manipulate victims into navigating to the link.
The CSRF vulnerability is an extension of the XSS scripting
vulnerability except that it also requires the attacker to have
access to a server at the same top-level domain as where Cascade is
running. For example, if Cascade is hosted at
cascade.hannonhill.com, the attacker would also need access to a
sub-domain like intranet.hannonhill.com.
The steps to exploit this vulnerability are as follows:
1. Create XSS like:
Here we are resetting the document domain for the page to the
very top level domain. This allows the attacker to bypass the Same
Origin browser security policy and security restrictions that would
normally prevent a script from loading from a different server.
2. Social engineer a victim to visit the above XSS link, or if the attacker already had access to Cascade, embed this link in the content of a frequently visited page.
3. When the user clicks the link, the malicious script loads and shuttles victim's document.cookie (which include JSESSIONID) to offsite server.
4. Attacker visits
https://cascade.domain.com:port/login.act to have the
system set a valid cookie on the attacker's browser.
5. Attacker replaces his valid JSESSIONID with the one retrieved via XSS and successfully assumes the identity of the victim.
The XSS and CSRF vulnerabilities exists for all Cascade Server
versions prior to Cascade 5.7.5 in the 5 series, prior to 6.0.3 in
the 6 series.
The fix is for Cascade to properly escape or hide user input when displaying the error message in the search results page.
This issue has been fixed in Cascade 5.7.5, 6.0.3, and later. There are no patch versions available for Cascade versions 5.5.x or earlier. We recommend an upgrade to Cascade 5.7.x or later.