Cross-site scripting vulnerability in SARA v<=4.2.7

["Thomas M. Payerle" <payerle () physics umd edu>]

XSS Vulnerability in Security Auditor's Research Assistant (SARA) versions
before 5.0.0

Affects:
SARA versions 4.2.6 and 4.2.7.  Older versions not tested, presumably affected.

Related software (sharing common ancestry):
SATAN 1.1.1 would not run properly on my test platform, but checking the code
it did not look like it was affected.

SAINT does not appear to be affected.  Because of licensing constraints,
I was only able to test a rather old verion (3.1.2), but Saint Corporation
was contacted and indicated version 5.1.2 is not affected, and state that
earlier versions should also be unaffected.


Description:
SARA, a descendent of SATAN, is a tool for probing networks for vulnerabilities
(ideally to fix them).  It creates its own mini-http server to enable the
user to interact with the main process through a standard web browser.  If
scanning in interactive mode, information about target hosts and services
running on them is displayed, and in some cases this includes banners from
the service.  In SARA version 4.2.7 and before, the service banners were not
properly sanitized, allowing HTML content in the banner to be processed by
the administrative web browser.

This allows standard cross site scripting issues, which might be seriously
exascerbated by the facts that:
        i) the normal mode of operation is for the web browser to be started
by sara, and as sara must be run as root for scanning operations, the web
browser is typically a root owned process.
        ii) The simplified http server automatically assigns the values of html
form variables to global variables in the Perl script with the same name.

Solution:
Advanced Research Corporation was contacted about the issue 20 Nov, and has
included code in version 5.0.0 of the package to deal with the problem.
Upgrading is recommended (see http://www-arc.com/sara/ for download
information.)

I would also recommend against performing scans in interactive mode in any
these packages.  Instead, I recommend that scans be run from the command line
(or a script), thereby avoiding the invocation of the interactive http
interface as root.  Data analysis does not require root privileges, and it
would be safer to only use the interactive interface with less privileged
accounts (though access to the results files still required).


Tom Payerle
Dept of Physics                         payerle () physics umd edu
University of Maryland                  (301) 405-6973
College Park, MD 20742-4111             Fax: (301) 314-9525