CVE-2005-0548
CVSS4.3
发布时间 :2005-03-07 00:00:00
修订时间 :2016-10-17 23:12:38
NMCOEPS    

[原文]Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search function.


[CNNVD]Sun AnswerBook2多个安全漏洞(CNNVD-200503-060)

        Solaris是一款商业性质的操作系统。
        在AnswerBook2 Server中发现了2个有关恶意HTML标记的漏洞。
        
         1. AnswerBook2的搜索功能动态的生成web页面,这可能允许执行脚本,或向用户提供恶意的HTML。如果用户跟随了链接到AnswerBook2搜索结果的网页,邮件消息或新闻组张贴中不可信任的链接/URI的话,就可能在他们的浏览器中无意中执行远程普通用户编写的脚本。远程攻击者可以通过这些不可信任的链接/URI以访问链接/URI用户的权限执行任意命令。
        
         2. AnswerBook2基于浏览器的管理界面(GUI)中的"浏览日志文件"功能可能受跨站脚本攻击的影响。由于这个漏洞,访问"浏览日志文件"功能的AnswerBook2管理员可能无意中执行本地或远程普通用户编写的脚本。命令会以正在使用AnswerBook2基于浏览器的管理GUI用户的权限执行,可能是特权用户。
        

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sun:solaris_answerbook2:1.2
cpe:/a:sun:solaris_answerbook2:1.4.4Sun Solaris AnswerBook2 1.4.4
cpe:/a:sun:solaris_answerbook2:1.4Sun Solaris AnswerBook2 1.4
cpe:/a:sun:solaris_answerbook2:1.4.3
cpe:/a:sun:solaris_answerbook2:1.3
cpe:/a:sun:solaris_answerbook2:1.4.2Sun Solaris AnswerBook2 1.4.2
cpe:/a:sun:solaris_answerbook2:1.4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0548
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0548
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-060
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111205163531628&w=2
(UNKNOWN)  BUGTRAQ  20050328 Multiple XSS issues in Sun AnswerBook2
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1
(VENDOR_ADVISORY)  SUNALERT  57737
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000230.1-1
(UNKNOWN)  SUNALERT  1000230

- 漏洞信息

Sun AnswerBook2多个安全漏洞
中危 跨站脚本
2005-03-07 00:00:00 2005-10-20 00:00:00
远程  
        Solaris是一款商业性质的操作系统。
        在AnswerBook2 Server中发现了2个有关恶意HTML标记的漏洞。
        
         1. AnswerBook2的搜索功能动态的生成web页面,这可能允许执行脚本,或向用户提供恶意的HTML。如果用户跟随了链接到AnswerBook2搜索结果的网页,邮件消息或新闻组张贴中不可信任的链接/URI的话,就可能在他们的浏览器中无意中执行远程普通用户编写的脚本。远程攻击者可以通过这些不可信任的链接/URI以访问链接/URI用户的权限执行任意命令。
        
         2. AnswerBook2基于浏览器的管理界面(GUI)中的"浏览日志文件"功能可能受跨站脚本攻击的影响。由于这个漏洞,访问"浏览日志文件"功能的AnswerBook2管理员可能无意中执行本地或远程普通用户编写的脚本。命令会以正在使用AnswerBook2基于浏览器的管理GUI用户的权限执行,可能是特权用户。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57737-1

- 漏洞信息 (10386)

Sun Solaris AnswerBook2 Multiple XSS (EDBID:10386)
solaris webapps
2005-05-07 Not Verified
0 Thomas Liam Romanis
N/A [点击下载]
Sun Solaris AnswerBook2 is reported prone to multiple cross-site scripting vulnerabilities because the software fails to properly sanitize user-supplied data. Exploits will allow arbitrary HTML and script code to run in a victim's browser, allowing the attacker to steal cookie-based credentials and launch other attacks.

The Search function and the AnswerBook2 admin interface are affected.

AnswerBook2 1.4.4 and prior versions are vulnerable. 

Bugtraq ID: 12746
Class: Input Validation Error
CVE: CVE-2005-0548
CVE-2005-0549
Remote: Yes
Local: No
Published: Mar 07 2005 12:00AM
Updated: Dec 11 2009 03:44PM
Credit: Discovery is credited to Thomas Liam Romanis.
Vulnerable: Sun AnswerBook2 1.4.4
Sun AnswerBook2 1.4.3
Sun AnswerBook2 1.4.2
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.4.1
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8_x86
- Sun Solaris 8_x86
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.4
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.3
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 8
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.2
+ Sun Solaris 8_x86
+ Sun Solaris 8
+ Sun Solaris 7.0_x86
+ Sun Solaris 7.0
+ Sun Solaris 2.6_x86
+ Sun Solaris 2.6_sparc
+ Sun Solaris 2.6

The following proofs of concept are available:

For the cross-site scripting issue in the Answerbook2 search function:

http://www.example.com/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+

For the admin interface 'View Log Files' function:

http://www.example.com/ab2/@Ab2Admin?command=view_access		

- 漏洞信息 (F36842)

answerbook2.txt (PacketStormID:F36842)
2005-03-29 00:00:00
Thomas Liam Romanis  
exploit,xss
CVE-2005-0548,CVE-2005-0549
[点击下载]

PTT Security Advisory - Sun Answerbook2 version 1.4.4 is susceptible to cross site scripting and administration attacks. Exploitation provided.

PTT SECURITY ADVISORY
DATE: 08-02-2005
AUTHOR: THOMAS LIAM ROMANIS
CURRENT EMPLOYER: Echelon Ltd
VENDOR: Sun
PRODUCT: Sun AnswerBook2
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].

Summary.

A number of issues have been identified in Sun Answerbook2. The first is AN xss issue in the Sun Answerbook2 Search function and the other is an attack vector issue in the administrative function for viewing Access and Error log files.

Detail.

1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
This issue could be used for misinformation purposes but probably little else. As a result the impact of this issue is likely to be low. 

http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+

It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. In this case, depending on the function of the server, a more serious exposure could result. 

2. Administration Attack Vector issue.[CAN-2005-0549]
When the Answerbook2 administrator opts to view the Access log file ( /var/log/ab2/logs/access-8888.log) or Error log file ( /var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain text. As a result a number of different methods could be used to launch attacks against the Answerbook2 administrator. For example, If an XSS attempt has been made on another part of the application, even if it was not immediately successful, it will execute during the display of the Access or Error log files. Thus attacks could be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who may have escalated privileges on the host operating system.

http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access

Remedial Action.

The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release Notes list the feature 

removal here: 

http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view

Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other currently supported 

releases of Solaris and they are impacted by this issue. Sun isn't planning on producing further patches for 

the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends disabling AnswerBook2 and 

using other sources of documentation, namely the Solaris Documentation CD and online formats at 

http://docs.sun.com.

The Alert Released by Sun can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1

    

- 漏洞信息

14633
Sun AnswerBook2 Documentation Search Function XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2005-03-07 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun Solaris AnswerBook2 Multiple Cross-Site Scripting Vulnerabilities
Input Validation Error 12746
Yes No
2005-03-07 12:00:00 2009-12-11 03:44:00
Discovery is credited to Thomas Liam Romanis.

- 受影响的程序版本

Sun AnswerBook2 1.4.4
Sun AnswerBook2 1.4.3
Sun AnswerBook2 1.4.2
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.4.1
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8_x86
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.4
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.3
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.3
- Sun Solaris 2.3
Sun AnswerBook2 1.2
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
+ Sun Solaris 7.0_x86
+ Sun Solaris 7.0
+ Sun Solaris 2.6_x86
+ Sun Solaris 2.6_sparc
+ Sun Solaris 2.6

- 漏洞讨论

Sun Solaris AnswerBook2 is reported prone to multiple cross-site scripting vulnerabilities because the software fails to properly sanitize user-supplied data. Exploits will allow arbitrary HTML and script code to run in a victim's browser, allowing the attacker to steal cookie-based credentials and launch other attacks.

The Search function and the AnswerBook2 admin interface are affected.

AnswerBook2 1.4.4 and prior versions are vulnerable.

- 漏洞利用

An exploit is not required.

The following proofs of concept are available:

For the cross-site scripting issue in the Answerbook2 search function:

http://www.example.com/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+

For the admin interface 'View Log Files' function:

http://www.example.com/ab2/@Ab2Admin?command=view_access

- 解决方案

Sun has released an advisory to address these issues. Please see the referenced advisory for details.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站