Re: Zeus Admin Server v4.1r2 index.fcgi XSS bug

[Colin Watson <colinw () zeus com>]

In article <3DCC12EC.000005.12196 () ariel yandex ru>, euronymous wrote:
> =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
> topic: Zeus Admin Server v4.1r2 index.fcgi XSS bug
> product: Zeus Admin Server v4.1r2 for linux/x86
> vendor: http://www.zeus.co.uk
> risk: very low (authorisation required)
> date: 11/8/2k2
> discovered by: euronymous /F0KP /HACKRU Team
> advisory urls: http://f0kp.iplus.ru/bz/007.txt 
>               http://xakep.host.sk/bz/007.txt 
> =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
>             
> description
> -----------
> in default Zeus installation, you can to access
> management interface via http://hostname:9090. 
>
> [you have to enter correct login/password here]
>
> there is some general script, that contain xss bug. 
> btw, default management login is `admin'..
>
> sample attack
> -------------
> http://hostname:9090/apps/web/index.fcgi?servers=
> &section=<script>alert(document.cookie)</script>
>
> [it must be in a single string]

Zeus Technology, 21st November 2002.
"Zeus Admin Server v4.1r2 index.fcgi XSS bug" vendor response.

On November 9th 2002, a cross-site-scripting attack against the Zeus
Administration Server was reported on bugtraq (incident "Zeus Admin
Server v4.1r2 index.fcgi XSS bug").

Zeus Technology has investigated this report and confirm that a harmless
cross-site-scripting exploit is possible under very limited conditions.
If an attacker tricked a Zeus Administrator into following a carefully
constructed link when logged into the Administration Server, the
attacker could retrieve a list of group names, and monitored variable
names and machines.  This information is not security-sensitive.  Zeus
Technology agree with the reporter's assessment that the risk is 'very
low'.

This vulnerability is present in Zeus Web Server 4.0 and 4.1.  It has
been resolved in Zeus Web Server 4.1r5 (released 19th Nov. 2002) and
Zeus Web Server 4.2 (released 21st Nov. 2002).

More details

This exploit can be used to retrieve any information stored in cookies
by the Zeus Administration Server.  To mount an attack, an attacker must
have prior knowledge of the host and port that the Administration Server
is running on, and must trick a Zeus Administrator into following a
carefully constructed link when logged into the Administration Server.

The Zeus Administration Server uses cookies to record several items of
transient state: the state of the folding list of groups of virtual
servers, and the list of currently monitored variables and machines if
real-time monitoring is in place.  It does not use cookies to store any
security-sensitive information, such as usernames or passwords.

Zeus Technology continue to advise that the Administration Server is
shut down when not in use as a matter of routine.  Zeus Technology do
not believe that this vulnerability is serious enough to merit upgrading
to versions 4.1r5 or 4.2.

Zeus Technology work closely with customers, evaluators, security
professionals and other researchers to ensure its products are secure
and free from defects. Any security-related comments received at
support () zeus com, or through any other means are treated with the utmost
attention.  Zeus Technology regret that the researcher who discovered
this exploit did not make any attempt to contact the vendor at any time.

[Apologies for the delay in getting this reply to bugtraq.]

Regards,

-- 
Colin Watson, <colinw () zeus com>                      Zeus Technology Ltd
Software Engineer                            Universally Serving the Net
Tel:+44(0)1223 525000  Fax:+44(0)1223 525100        http://www.zeus.com/
Zeus House, Cowley Road, Cambridge, CB4 0ZT, ENGLAND