Endeca Latitude Cross-Site Scripting
RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Endeca Latitude. By exploiting this vulnerability an attacker is able to execute arbitrary JavaScript code in the context of other Endeca Latitude users.
Details
- Product: Endeca Latitude
- Affected Versions: 2.2.2, potentially others
- Fixed Versions: N/A
- Vulnerability Type: Cross-Site Scripting
- Security Risk: high
- Vendor URL: N/A
- Vendor Status: decided not to fix
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2013-003 - Advisory Status: published
- CVE: CVE-2014-2400
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400
Introduction
Endeca Latitude is an enterprise data discovery platform for advanced, yet intuitive, exploration and analysis of complex and varied data. Information is loaded from disparate source systems and stored in a faceted data model that dynamically supports changing data. This integrated and enriched data is made available for search, discovery, and analysis via interactive and configurable applications.
(from the vendor’s homepage)
More Details
Endeca Latitude offers administrators to trigger different functions by using the following two URLs (see http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html):
http://example.com/config?op=<supported-operation>http://example.com/admin?op=<supported-operation>
When accessing such an URL which uses an invalid value for the HTTP GET
parameter “op”, such as
http://example.com/config?op=RedTeam%20Pentesting, an error message is
shown by the webapplication and the invalid value is directly embedded
into the document without prior escaping, which leads to a Cross-Site
Scripting vulnerability.
Proof of Concept
As shown by the following URL, an attacker is able to embed arbitrary JavaScript code into the context of the Endeca Latitude instance:
http://example.com/config?op=<script>alert(‘RedTeam Pentesting’);</script>
Workaround
The vendor did not update the vulnerable software, but recommends to configure all installations to require mutual authentication using TLS certificates for both servers and clients, while discouraging users from installing said client certificates in browsers.
Fix
Not available. The vendor did not update the vulnerable software to remedy this issue.
Security Risk
The vulnerability can be used to embed arbitrary JavaScript code and therefore offers a wide range of possible attacks such as stealing cookies or displaying a fake login form. Furthermore, an attacker can use this vulnerability to control the Endeca Latitude instance by using the API implemented by its web service (see http://docs.oracle.com/cd/E29220_01/index.htm). The risk of this vulnerability is therefore considered to be high.
Timeline
- 2013-10-06 Vulnerability identified
- 2013-10-08 Customer approved disclosure to vendor
- 2013-10-15 Vendor notified
- 2013-10-17 Vendor responded that investigation/fixing is in progress
- 2014-02-24 Vendor responded that bug is fixed and scheduled for a future
CPU - 2014-03-13 Vendor responded with additional information about a
potential workaround - 2014-04-15 Vendor releases Critical Patch Update Advisory with little
information on the proposed fix - 2014-04-16 More information requested from vendor
- 2014-05-02 Vendor responds with updated information
- 2014-06-25 Advisory released
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.