Cross-Site Scripting Vulnerability in RSA Archer eGRC

Advisory Information
Title: Cross-Site Scripting Vulnerability in RSA Archer eGRC
Release date: 31/01/2013
Last update: 05/02/2012
Credits: Coppeto Nello (Emaze Networks S.p.A.)

Vulnerability Information
Class: Input Validation Vulnerability, Cross-site Scripting
CVE: CVE-2012-1064

Affected Software
We confirm the presence of the security vulnerability on the following product version:
  • RSA Archer 5.1.3.1084
Vulnerability Details
RSA Archer eGRC can be exploited to cause a disclosure of the user’s session cookie, allowing an attacker to hijack the user session and take over the account.

The vulnerability is on the page WorkspaceDashboard.aspx, in the param WorkspaceId.

A proof of concept of the Reflected Cross-Site Scripting follows:
  • https://host/Foundation/WorkspaceDashboard.aspx?WorkspaceId='"</script><script>alert("Cross-Site Scripting")</script> 
If web application is configured with http-only active on the cookie, it is possible read the user session cookie (SessionToken) at the URL:
  • https://host/accesscontrol/UserProfile.aspx?pr=b61add5223474808902a08cd804d26dc
Remediation
Upgrade RSA Archer eGRC at 5.3 version.

Report Timeline
  • 08/02/2012 - Initial vendor contact.
  • 08/02/2012 - Vendor replied.
  • 08/02/2012 - Emaze send a detailed email describing the vulnerability.
  • 09/02/2012 - Vendor replied that they will investigate about the vulnerability.
  • 20/03/2012 - Emaze send an email to ask for updates.
  • 21/03/2012 - Vendor notified that the product engineering team will fix the issue. The product engineering team is currently in the process of assessing the impact on various product versions and defining an implementation and release plan.
  • 12/04/2012 - Emaze send an email to ask for updates and to notify the intention of disclusure.
  • 06/07/2012 - Vendor replied that the patch is currently planned to be released in early Q4
  • 31/01/2013 - Vendor publish advisory on BugTraq
    http://www.securityfocus.com/archive/1/525541/30/0/threaded

Copyright
Copyright(c) Emaze Networks S.p.A. 2013, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.


Disclaimer
Emaze Networks S.p.A. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community.

There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

No comments:

Post a Comment