VU#802596: Pattern Insight 2.3 contains multiple vulnerabilities

Vulnerability Note VU#802596
Pattern Insight 2.3 contains multiple vulnerabilities

Original Release date: 02 Nov 2012 | Last revised: 08 Nov 2012

Overview

The Pattern Insight web interface contains multiple vulnerabilities.

Description

CWE-352: Cross-Site Request Forgery (CSRF) CVE-2012-4935: Pattern Insight: CSRF protections do not exist

When an already authorized victim navigates to a malicious site containing a hidden form request, it is possible for the malicious site to make authenticated requests to Pattern Insight on behalf of the victim.

CWE-16: Configuration: CVE-2012-4936: Pattern Insight: clickjacking/framing vulnerability
It is possible to frame the application and thus is vulnerable to clickjacking. This can be mitigated by adding “X-Frame-Options” => “DENY” to the response headers. Furthermore, frame busting code can be added to the application for further protection and in the case that the victim’s browser does not support X-Frame-Options. See https://www.owasp.org/index.php/Clickjacking

CWE-384: Session Fixation CVE-2012-4937: Pattern Insight: Insecure session management leading to privilege escalation
Pattern Insight session management is insecure, making privilege escalation and authentication bypass possible. When a user logs into Pattern Insight, the user’s browser either has or does not have a jsession_id session cookie associated with the Pattern Insight domain. If the user does not have a session cookie associated with the Pattern Insight domain, the server provides the user a jsession_id and associates that session id with the user’s current session. If the user already has a session cookie associated with the Pattern Insight domain, the server checks the “validity” of the session cookie. If the cookie is of “valid” form, the server associates the provided jsession_id session cookie with user’s new session.

Attack scenario:
1. Attacker obtains a “valid” session key.
2. Attacker sets victim’s jsession_id session cookie with the “valid” session key in step 1
3. The attacker now knows the session id of a valid session

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVE-2012-4938: Pattern Insight: HTML Injection In Banner Message
An admin can edit the banner message seen by all users. HTML is allowed in this message. A possible solution is anti-samy for whitelisting where HTML is still needed (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project).

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVE-2012-4950 Pattern Insight: HTML Injection In Keyword Search page
The error messages on the Keyword Search page do not properly escape characters after encountering a character that the backend cannot parse. This results in a reflective XSS if an attacker sends a victim a properly crafted URL and the victim visits the application using that link.

Impact

An attacker with access to the Pattern Insight web interface can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which could be used to result in information leakage, privilege escalation, and/or denial of service. Also, with the ability to frame the application, an attacker can perform clickjacking attacks.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS, CSRF, or SQLi attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing the Pattern Insight web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedPattern InsightAffected07 Sep 201224 Oct 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
6.0
AV:N/AC:M/Au:S/C:P/I:P/A:P

Temporal
4.6
E:POC/RL:W/RC:UC

Environmental
1.6
CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/352.html
http://cwe.mitre.org/data/definitions/79.html
http://cwe.mitre.org/data/definitions/16.html
http://cwe.mitre.org/data/definitions/384.html
https://www.owasp.org/index.php/Clickjacking
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
https://owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Clickjacking#Defending_against_Clickjacking
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Michael Orlando.

Other Information

CVE IDs:
CVE-2012-4935
CVE-2012-4936
CVE-2012-4937
CVE-2012-4938
CVE-2012-4950

Date Public:
02 Nov 2012

Date First Published:
02 Nov 2012

Date Last Updated:
08 Nov 2012

Document Revision:
15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#989684: Cerberus FTP Server web interface cross-site request forgery vulnerability

Vulnerability Note VU#989684
Cerberus FTP Server web interface cross-site request forgery vulnerability

Original Release date: 04 Oct 2012 | Last revised: 04 Oct 2012

Overview

The Cerberus FTP Server web interface contains a cross-site request forgery vulnerability

Description

VU#555668: JAMF Software Casper Suite contains a cross-site request forgery vulnerability

Vulnerability Note VU#555668
JAMF Software Casper Suite contains a cross-site request forgery vulnerability

Original Release date: 24 Sep 2012 | Last revised: 25 Sep 2012

Overview

JAMF Software’s Casper Suite is susceptible to a cross-site request forgery (CSRF) (CWE-352) vulne…

VU#471364: Trend Micro InterScan Messaging Security Suite is vulnerable to XSS and CSRF vulnerabilities

Vulnerability Note VU#471364
Trend Micro InterScan Messaging Security Suite is vulnerable to XSS and CSRF vulnerabilities

Original Release date: 13 Sep 2012 | Last revised: 14 Sep 2012

Overview

Trend Micro InterScan Messaging Security Suite Version 7.1-Build_Win32_1394 has been reported to be susceptible to cross-site scripting and cross…

VU#763795: Netsweeper Internet Filter WebAdmin Portal multiple vulnerabilities

Vulnerability Note VU#763795
Netsweeper Internet Filter WebAdmin Portal multiple vulnerabilities

Original Release date: 09 Jul 2012 | Last revised: 20 Aug 2012

Overview

Netsweeper Internet Filter WebAdmin Portal contains XSS, CSRF and SQLi vulnerabilities.

Description

VU#709939: Bradford Network Sentry v5.3 NS500 appliance contains multiple vulnerabilities

Vulnerability Note VU#709939
Bradford Network Sentry v5.3 NS500 appliance contains multiple vulnerabilities

Original Release date: 13 Jun 2012 | Last revised: 13 Jun 2012

Overview

Bradford Network Sentry v5.3 NS500 appliance contains multiple vulnerabilities which could allow an attacker to execute arbitrary code with the privileges of t…

VU#221180: BMC Identity Management Suite cross-site request forgery vulnerability

Vulnerability Note VU#221180
BMC Identity Management Suite cross-site request forgery vulnerability

Original Release date: 11 Jun 2012 | Last revised: 11 Jun 2012

Overview

BMC Identity Management Suite v7.5.00.103 and possibility other versions are vulnerable to cross-site request forgery vulnerabilities.

VU#722963: Bloxx Web Filtering multiple vulnerabilities

Vulnerability Note VU#722963
Bloxx Web Filtering multiple vulnerabilities

Original Release date: 29 May 2012 | Last revised: 30 May 2012

Overview

Bloxx Web Filtering contains multiple XSS, CSRF, and authentication bypass vulnerabilities.

Description