Secunia CSI 5.0
Overview
Advisories
Research
Forums
Create Profile
Our Commitment
About the Team
Disclosure Policy
SVCRP

Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability

 
======================================================================

                     Secunia Research 26/01/2004

   - IBM Net.Data Macro Name Cross-Site Scripting Vulnerability -

======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/

======================================================================
Table of Contents

1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification

======================================================================
1) Affected Software

IBM Net.Data 7 and 7.2.

NOTE: Other versions have not been tested but may also be affected.

======================================================================
2) Severity

Rating:  Less critical
Impact:  Cross-Site Scripting
Where:   From Remote

======================================================================
3) Vendor's Description of Software

"Net.Data, a full-featured and easy to learn scripting language, allows
you to create powerful Web applications. Net.Data can access data from
the most prevalent databases in the industry".

Vendor:
http://www-3.ibm.com/software/data/net.data/

======================================================================
4) Description of Vulnerability

A vulnerability has been identified in IBM Net.Data, which can be
exploited by malicious people to conduct cross-site scripting attacks
against visitors of an affected site.

The vulnerability is caused due to an input validation error in the
db2www CGI component, since the name of a requested Macro file is
included in "DTWP001E" error messages without sufficient sanitation.

A malicious person can exploit this by constructing a link, which
includes arbitrary script code. If a user is tricked into clicking
the link or visiting a malicious website, the script code will be
executed in the user's browser session in context of the affected site.

Example:
http://[victim]/cgi-bin/db2www/<script>alert(document.domain)</script>/A

Successful exploitation may result in disclosure of various
information (e.g. cookie-based authentication information)
associated with the site running IBM Net.Data, or inclusion of
malicious content, which the user thinks is part of the real website.

NOTE: Other error messages may also be affected.

======================================================================
5) Solution

The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or
"DTW_DEFAULT_MACRO" feature on zOS and iServer) is used to ensure that a
web site reacts in a predictable manner when encountering problems.

Example:
In the Net.Data configuration file "db2www.ini", insert an entry such
as:

DTW_DEFAULT_ERROR_MESSAGE <PRE>This Web Site is experiencing problems.
Check back later. </PRE>

This will prevent various error messages from being returned to users.

======================================================================
6) Time Table

04/11/2003 - Vulnerability discovered.
04/11/2003 - Vendor notified
07/11/2003 - Vendor confirms receiving vulnerability report. Report will
be forwarded to Net.Data team.
02/12/2003 - Requests status report from contact person.
02/12/2003 - Contact person responds that the Net.Data team will be
contacted.
14/01/2004 - Advisory draft sent to vendor along with set disclosure
date.
14/01/2004 - Contact person replies that the Net.Data team will be
contacted again.
22/01/2004 - Vendor confirms vulnerability and provides solution.
26/01/2004 - Public disclosure.

======================================================================
7) Credits

Discovered by Carsten Eiram, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://www.secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2004-1/
======================================================================


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports & Papers
Webinars
Events
 About us
Careers
Memberships
Newsroom
 
© 2002-2012 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability