[SMT-SA-2013-01] Alcatel Lucent MyTeamWork XSS

Vulnerability Type: Cross-Site Scripting

CVE: CVE-2013-4653

Products and affected versions:

Omnitouch 8660 My Teamwork prior to release 6.7
Omnitouch 8670 AMDS (Automated Message Delivery System) prior to release 6.7
Omnitouch 8460 Advanced Communication Server prior to release 9.1
OmniTouch 8400 Instant Communications Suite prior to release 6.7.3

Vendor Website:
http://enterprise.alcatel-lucent.com/?product=MyTeamwork&page=overview

Alcatel-Lucent Advisory:
http://www3.alcatel-lucent.com/wps/DocumentStreamerServlet?LMSG_CABINET=Corporate&LMSG_CONTENT_FILE=Support/Security/2013001.htm


=================
Vulnerability Details
=================

A Cross-Site Scripting vulnerability has been  found  in Alcatel-Lucent OminTouch MyTeamWork. The issue is due to the input passed via "product" field to login page is not properly sanitised before being returned to the user. This could exploited to inject arbitrary javascript in the login page.


Attack Scenarios:

- An attacker could steal user/password previously stored by password manager in the browser, by convincing users to visit/follow a malicious web site/URL .

- An attacker could perform some actions  when a logged-in user visits a specially crafted web page. For example to manipulate a client session, to  impersonate a legitimate user in order  to view or alter user data, or to perform transactions as that user.



=================
Proof Of Concepts
=================

PoC-1: Test XSS:

https://site_with_MyTeamWork/ics?action=signin&product=buddies";}}</script><script>alert(/VULNERABLE/)</script>&display=main_frameset


PoC-2: Show saved password:

https://site_with_MyTeamWork/ics?action=signin&product=buddies";}}</script><script>setTimeout("alert(document.signinForm.password.value)", 1000);</script>&display=main_frameset




=========
Solutions
=========

Alcatel-Lucent has released updates.

For Omnitouch 8660 My Teamwork: Update to release 6.7;
For Omnitouch 8670 AMDS (Automated Message Delivery System): Update to release 6.7
For Omnitouch 8460 Advanced Communication Server: Update to release 9.1
For OmniTouch 8400 Instant Communications Suite: Update to release 6.7.3


========
Timeline
========

7th November 2012 - Vulnerability discovered and notified to Alcatel-Lucent by Psirt.Security@alcatel-lucent.com

May 2013 - Alcatel-Lucent informed customers and business partners

2nd July 2013 - Coordinated Public Disclosure



================
Other References
================

Alcatel-Lucent Advisory:
http://www3.alcatel-lucent.com/wps/DocumentStreamerServlet?LMSG_CABINET=Corporate&LMSG_CONTENT_FILE=Support/Security/2013001.htm

Security Focus:
http://www.securityfocus.com/bid/60902/info

Secunia:
http://secunia.com/advisories/54000/


==============
Credits/Author
==============

Giovanni Delvecchio
SmartNet s.r.l.
Viale dell'Esperanto, 71 - 00144 - Roma
e-mail: g.delvecchio@smartnetsecurity.net


==========
Disclaimer
==========
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
o be able to attack or damage. Therefore SmartNet s.r.l shall
not be liable for any direct or indirect damages that might be
caused by using this information.

Comments