Secunia Research: BlueDragon Server Cross-Site Scripting and Denial of Service

====================================================================== 

                    Secunia Research 23/06/2006

   - BlueDragon Server Cross-Site Scripting and Denial of Service -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

* BlueDragon Server for Windows version 6.2.1.286
* BlueDragon Server JX for Windows version 6.2.1.286

Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately Critical
Impact: Denial of Service
        Cross-Site Scripting
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia Research has discovered two vulnerabilities in BlueDragon
Server/Server JX, which can be exploited by malicious people to
conduct cross-site scripting attacks and to cause a DoS (Denial of
Service).

1) An error exists within the handling of a HTTP request that contains
a MS-DOS device name with the ".cfm" extension. This can be exploited
to cause the service to stop responding to requests for ".cfm" files.

Example:
http://[host]/con.cfm
http://[host]/aux.cfm
http://[host]/com1.cfm
http://[host]/com2.cfm

Successful exploitation using "com1.cfm" and "com2.cfm" requires that
the system has serial ports installed. The vendor has reported that
the "cfml" extension is also affected.

2) Input passed in the URL is not properly sanitised before being
returned to the user in the default error page. This can be exploited
to execute arbitrary HTML and script code in a user's browser session
in context of an affected site.

Example:
http://[host]/[code].cfm
http://[host]/[code].cfml

====================================================================== 
4) Solution 

Filter malicious characters and character sequences in a proxy or
firewall with URL filtering capabilities.

The vendor will reportedly release a fix in June 2006. This has not
been confirmed.

====================================================================== 
5) Time Table 

09/03/2006 - Initial vendor notification.
21/03/2006 - Initial vendor reply.
08/05/2006 - Vendor reminder.
26/05/2006 - Vendor provided patch for testing.
31/05/2006 - Notify vendor that patch is not complete.
13/06/2006 - Vendor reminder.
23/06/2006 - Public disclosure (no reply from vendor).

====================================================================== 
6) Credits 

Discovered by Tan Chew Keong, Secunia Research.

====================================================================== 
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2006-2310 (Denial of Service) and CVE-2006-2311 (Cross-Site 
Scripting) for the vulnerabilities.

====================================================================== 
8) About Secunia 

Secunia collects, validates, assesses, and writes advisories regarding 
all the latest software vulnerabilities disclosed to the public. These 
advisories are gathered in a publicly available database at the 
Secunia website: 

http://secunia.com/

Secunia offers services to our customers enabling them to receive all 
relevant vulnerability information to their specific system 
configuration. 

Secunia offers a FREE mailing list called Secunia Security Advisories: 

http://secunia.com/secunia_security_advisories/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-18/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================