=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN161
_____________________________________________________________________

DATE                      : 09/03/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 7, Solaris 8 running AnswerBook2.

======================================================================

    Sun(sm) Alert Notification
      * Sun Alert ID: 57737
      * Synopsis: Security Vulnerabilities in Solaris AnswerBook2
        Documentation
      * Category: Security
      * Product: Answerbook2
      * BugIDs: 6228248, 6228257
      * Avoidance: Workaround
      * State: Resolved
      * Date Released: 07-Mar-2005
      * Date Closed: 07-Mar-2005
      * Date Modified:

    1. Impact Two vulnerabilities have been discovered in the AnswerBook2
    Server related to malicious HTML tags.

    1. The AnswerBook2 Search function dynamically generates web pages
    which may allow the execution of scripts or present malicious HTML to
    a user. Users may unintentionally execute scripts in their browser
    written by a remote unprivileged user if they follow untrusted
    links/URIs in web pages, mail messages, or newsgroup postings which
    link to AnswerBook2 search results. By following these untrusted
    links/URIs, the remote attacker may be able to execute commands with
    the privileges of the user who accessed the link/URI.

    2. The "View Log Files" function in the AnswerBook2 browser-based
    admin interface (GUI) may be vulnerable to cross-site scripting
    attacks. Due to this vulnerability, the AnswerBook2 administrator
    accessing the "View Log Files" functionality may unintentionally
    execute scripts written by an unprivileged local or remote user. The
    commands executed would run with the privileges of the user utilizing
    the AnswerBook2 browser-based admin GUI, who may be privileged.

    This issue is also described in the following documents:

    [2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0548

    [3]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0549

    For further information on malicious HTML tags, cross site scripting,
    and web script vulnerabilities, see the following URLs:

    [4]http://www.cert.org/archive/pdf/cross_site_scripting.pdf

    [5]http://www.cert.org/tech_tips/malicious_code_FAQ.html

    [6]http://www.cert.org/advisories/CA-2000-02.html

    Sun acknowledges, with thanks, Thomas Liam Romanis for bringing this
    issue to our attention.

    2. Contributing Factors This issue can occur in the following
    releases:

    SPARC Platform

      * AnswerBook2 Documentation Server versions 1.4.4 or earlier (for
        Solaris 7 and 8)

    x86 Platform

      * AnswerBook2 Documentation Server versions 1.4.4 or earlier (for
        Solaris 7 and 8)

    Notes:

     1. AnswerBook2 is no longer supported as of Solaris 9, therefore
        Solaris 9 and Solaris 10 are not affected.
     2. The "View Log Files" vulnerability only exists when using the
        AnswerBook2 Admin GUI interface, i.e. the following URL path on an
        AnswerBook2 server:
        [7]http://ab2server.hostname:8888/ab2/@Ab2Admin

    To determine the version of the currently installed AnswerBook2
    Server, the following command can be run:

     $ grep SUNW_PRODVERS /var/sadm/pkg/SUNWab2[rsu]/pkginfo
     /var/sadm/pkg/SUNWab2r/pkginfo:SUNW_PRODVERS=1.4.4
     /var/sadm/pkg/SUNWab2s/pkginfo:SUNW_PRODVERS=1.4.4
     /var/sadm/pkg/SUNWab2u/pkginfo:SUNW_PRODVERS=1.4.4

    3. Symptoms There are no reliable symptoms that would indicate the
    described issues have been exploited.

    Solution Summary [8]Top

    4. Relief/Workaround Sites which have configured AnswerBook2
    Documentation Servers should disable AnswerBook2 and instead refer to
    Sun documentation at the Sun Product Documentation web site
    [9]http://docs.sun.com or view the documentation on the Solaris
    Documentation CD.

    To disable the AnswerBook2 Documentation Server, the following
    commands can be run as "root" user:

     # /usr/lib/ab2/bin/ab2admin -o stop
     # /usr/lib/ab2/bin/ab2admin -o autostart_no

    To avoid the "View Log Files" vulnerability, do not use the
    AnswerBook2 Admin GUI to view the AnswerBook2 log files; the
    ab2admin(1M) command should be used instead, as in the following
    example:

     $ /usr/lib/ab2/bin/ab2admin -o view_access [-m server_name] [-p server_port
]

    5. Resolution Please see the "Relief/Workaround" section for the
    resolution to this issue.

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved.

References

    1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57737-1#top
    2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0548
    3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0549
    4. http://www.cert.org/archive/pdf/cross_site_scripting.pdf
    5. http://www.cert.org/tech_tips/malicious_code_FAQ.html
    6. http://www.cert.org/advisories/CA-2000-02.html
    7. http://ab2server.hostname:8888/ab2/@Ab2Admin
    8. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57737-1#top
    9. http://docs.sun.com/

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================