exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-09-15.1

Atstake Security Advisory 03-09-15.1
Posted Sep 16, 2003
Authored by Atstake, Ollie Whitehouse | Site atstake.com

Atstake Security Advisory A091503-1 - The Nokia Electronic Documentation product has three vulnerabilities. A cross-site scripting vulnerability allows an attacker to run malicious code if javascript is enabled. A directory listing of the web root is available by supplying the underlying webserver with a period. NED can also be inadvertently used as an HTTP proxy server.

tags | advisory, web, root, javascript, vulnerability, xss
SHA-256 | 4924ba9b5946a4e3970ccd2e0126327f9de57382c0d428f532349345aa409bd4

Atstake Security Advisory 03-09-15.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: Nokia Electronic Documentation - Multiple Vulnerabilities
Release Date: 09/15/2003
Application: NED (Nokia Electronic Documentation)
Platform: Windows NT4 and WebLogic tested (others may be
susceptible)
Severity: Information disclosure / cross-site scripting Open
Proxy
Authors: Ollie Whitehouse <ollie@atstake.com>
Vendor Status: Informed / Statement Below
CVE Candidate: (pending) Multiple Nokia Electronic Documentation
Issues
Reference: www.atstake.com/research/advisories/2003/a091503-1.txt


Overview:

Nokia (https://www.nokia.com) provides a web-based documentation
interface called NED for a number of it's cellular network products.

@stake have discovered three vulnerabilities in this product:
- Cross-site scripting
- Directory listing of certain directories under the web-root
- Being able to use NED as a proxy server for HTTP requests

Normally, NED deployments are within the OAM/O&M networks of the
cellular operator. However, as @stake discussed in the white paper
'GPRS Wireless Security: Not Ready for Prime Time'
(https://www.atstake.com/research/
reports/acrobat/atstake_gprs_security.pdf) these networks can be
exposed to risks which are not normally within the operators risk
profiles.


Details:

The following examples are from a standard NED installation, which
in @stake's experience is upon NT4/IIS 3.0.

1) Cross-site scripting

A very simple cross-site scripting vulnerability exists. For
example, if an attacker makes the following request:

https://target/docs/<script>alert('@stake');</script>

This will cause the malicious code to run in the attacker's browser
if Javascript is enabled.

2) Directory Listings

It is possible to cause the underlying application server
(WebLogic) to return a directory listing of the web-root. This is
achieved by simply supplying a '.' as the location to the NED
application. For example:

https://target/docs/NED?action=retrieve&location=.

In addition, this will also return the physical path that NED
is installed on, which is by default:


'e:\nemu\platform\active\docs\ned\Web-inf\special\'

3) Open Proxy

By specifying a location which contains the HTTP protocol URI, as
contained within the example URL below, one can cause NED to
retrieve the page in question and deliver the contents back. This
can potentially be used to launch attacks against hosts that the
NED server may have access to but the attacker does not (for
example in a DMZ deployment).

https://target/docs/NED?action=retrieve&location=https://target2/


Vendor Response:

"Nokia has analyzed the three vulnerabilities in NED 5.0 that
@stake has discovered, and find them only to have consequences
under exceptional circumstances.

Exceptional circumstances meant here are potential intruders
(outsiders or own personnel) who have accessed the telecom
operators production/O&M network without authorization.

Telecom operators production networks and especially O&M networks
are isolated from other internal networks and public internet and
also operators own O&M personnel are considered to be trustworthy.
Thus Nokia will not provide any hot fixes (patches or workaround)
at this moment but will inform telecom operator customers about
the potential vulnerabilities and will remedy a defect in the next
NED 5.1 release upgrades at the beginning of the next year."


Recommendation:

Look for the Nokia upgrades at the beginning of 2004. In addition,
operators should look to deploy additional network-based access
control around devices that have NED deployed on them.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (https://cve.mitre.org), which standardizes
names for security problems.

(pending) Multiple Nokia Electronic Documentation Issues


@stake Vulnerability Reporting Policy:
https://www.atstake.com/research/policy/

@stake Advisory Archive:
https://www.atstake.com/research/advisories/

PGP Key:
https://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP2YixUe9kNIfAm4yEQJG6gCgiHpwSbhWPq44RIhs1u/mQlDu/iYAoNaq
uVq9ge2vPMk5e0uiuxRWKnjT
=qpvD
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close