infohacking.com do you
know? |
This is a copy of the mail sent to SecurityFocus Bugtraq on Tue, 08 Oct 2002 01:47:28 +0200. Detailed CSS on MCMS -> Spanish _version -> English version ------------------------------------------------------- Hi, While doing a pen-test we found what seems to be a Cross Site Scripting on Microsoft Content Management Server. On M$ words: "Microsoft® Content Management Server 2001 (MSCMS) is an enterprise Web content management system that enables companies to build, deploy, and maintain Internet, intranet, and extranet Web environments. One essential component of the Web development process is the planning and implementation of a security policy for the site.(...) Within Microsoft Content Management Server, the AESecurity Service authenticates users. In this forms-based authentication system, users trying to access a secure Web page are redirected to a login form (an Active Server Pages [ASP] script called ManualLogin.asp) where they must enter a user name and password. After the user enters credentials, the ASP script does an HTML post of the login credentials to an ASP script called ManualLoginSubmit.asp, which communicates the data to the server. If user authentication succeeds, MSCMS saves a session cookie with an encrypted token in the Web browser. The token is comprised of the user identity, the time of login, and the login IP address; it is encrypted in the cookie with the Server Security Key. Each time the user requests a new page, MSCMS validates the token and grants or denies access accordingly. When the user logs off, the token is removed from the Web browser, and when the browser is closed, the session cookie is destroyed" OK. The ManualLogin.asp has a parameter "REASONTXT" that shows the usual warning text:"You are using an insecure connection...". But we can inject code here like this: ManualLogin.asp?REASONTXT= |
Infohacking Team: Hugo Vazquez Carames & Toni
Cortes Martinez Copyright © 2001 All rights reserved. |