Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability

======================================================================

                     Secunia Research 26/01/2004

   - IBM Net.Data Macro Name Cross-Site Scripting Vulnerability -

======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/secunia_security_advisories/

======================================================================
Table of Contents

1....................................................Affected Software
2.............................................................Severity
3.....................................Vendor's Description of Software
4.........................................Description of Vulnerability
5.............................................................Solution
6...........................................................Time Table
7..............................................................Credits
8........................................................About Secunia
9.........................................................Verification

======================================================================
1) Affected Software

IBM Net.Data 7 and 7.2.

NOTE: Other versions have not been tested but may also be affected.

======================================================================
2) Severity

Rating:  Less critical
Impact:  Cross-Site Scripting
Where:   From Remote

======================================================================
3) Vendor's Description of Software

"Net.Data, a full-featured and easy to learn scripting language, allows
you to create powerful Web applications. Net.Data can access data from
the most prevalent databases in the industry".

Vendor:
http://www-3.ibm.com/software/data/net.data/

======================================================================
4) Description of Vulnerability

A vulnerability has been identified in IBM Net.Data, which can be
exploited by malicious people to conduct cross-site scripting attacks
against visitors of an affected site.

The vulnerability is caused due to an input validation error in the
db2www CGI component, since the name of a requested Macro file is
included in "DTWP001E" error messages without sufficient sanitation.

A malicious person can exploit this by constructing a link, which
includes arbitrary script code. If a user is tricked into clicking
the link or visiting a malicious website, the script code will be
executed in the user's browser session in context of the affected site.

Example:
http://[victim]/cgi-bin/db2www/<script>alert(document.domain)</script>/A

Successful exploitation may result in disclosure of various
information (e.g. cookie-based authentication information)
associated with the site running IBM Net.Data, or inclusion of
malicious content, which the user thinks is part of the real website.

NOTE: Other error messages may also be affected.

======================================================================
5) Solution

The vendor recommends that the "DTW_DEFAULT_ERROR_MESSAGE" feature (or
"DTW_DEFAULT_MACRO" feature on zOS and iServer) is used to ensure that a
web site reacts in a predictable manner when encountering problems.

Example:
In the Net.Data configuration file "db2www.ini", insert an entry such
as:

DTW_DEFAULT_ERROR_MESSAGE <PRE>This Web Site is experiencing problems.
Check back later. </PRE>

This will prevent various error messages from being returned to users.

======================================================================
6) Time Table

04/11/2003 - Vulnerability discovered.
04/11/2003 - Vendor notified
07/11/2003 - Vendor confirms receiving vulnerability report. Report will
be forwarded to Net.Data team.
02/12/2003 - Requests status report from contact person.
02/12/2003 - Contact person responds that the Net.Data team will be
contacted.
14/01/2004 - Advisory draft sent to vendor along with set disclosure
date.
14/01/2004 - Contact person replies that the Net.Data team will be
contacted again.
22/01/2004 - Vendor confirms vulnerability and provides solution.
26/01/2004 - Public disclosure.

======================================================================
7) Credits

Discovered by Carsten Eiram, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://www.secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://www.secunia.com/secunia_research/2004-1/
======================================================================