Sense of Security – Security Advisory – SOS-09-001
| Release Date. | 23-Feb-2009 |
| Last Update. | 23-Feb-2009 |
| Vendor Notification Date. | 20-Oct-2008 |
| Product. | Libero |
| Platform. | Windows (verified), possibly others |
| Affected versions. | Libero v5.3 SP5 (verified), possibly others. |
| Severity Rating. | Medium |
| Impact. | Cookie/credential theft |
| Impersonation | |
| Loss of confidentiality | |
| Attack Vector. | Remote |
| Solution Status. | Vendor patch not yet available |
| CVE reference. | CVE-2009-0540 |
Details.
Libero is a library management system. During an application penetration test Sense of Security identified a cross-site scripting vulnerability in the search feature of the Libero web application. This occurred as a result of the application not properly filtering HTML tags which allowed malicious Javascript to be embedded. When input is incorrectly validated and not properly sanitised and then displayed in a web page, attackers can trick users into viewing the web page and causing malicious code to be executed.
Proof of concept.
You can test the susceptibility of your system to this issue by entering the following string into the search term form field and clicking ‘search’.
<script>alert(document.cookie)</script>
A vulnerable site will return the users. session ID.
Solution.
The vendor has advised that the fix will be made available in Libero v5.5 SP1. A fix will not be made available for previous versions.
Discovered by.
Oliver Greiter from SOS Labs.