=====================================================================================
Hopeless comments regarding the pointless 
"HP System Management Homepage (SMH) Unspecified XSS"

August 25, 2008

=====================================================================================
[Overview]

Since HP does not provide technical details in its security bulletins, it is really
difficult to track vulnerabilities and patches.

In the last few years several Cross Site Scripting vulnerabilities were reported 
against the HP System Management Homepage (SMH), however no technical details were
provided and it is still difficult to understand the real entity of this issue.
Whenever you search for information regarding this weakness in the public vulnerability 
databases, you can just read tons of incomplete or overlapped descriptions.

In order to understand the essence of the problem, have a look at:
http://www.securityfocus.com/bid/25953
Although it is ages away from being useful, it gives a compact overview of the flaw. 

This is the most useless indeed:
http://www.securityfocus.com/bid/24256

This document discusses three attack vectors found on the HP System Management 
Homepage(SMH).

=====================================================================================
[Impact]

Cross Site scripting (XSS)
 
Since it is a web management console, the Cross Site Scripting vulnerability has a
medium/high impact whenever it can be exploited.

=====================================================================================
[Technical Details] 

HP System Management Homepage (SMH) is prone to a XSS vulnerability because it 
fails to check the input parameter used to show a generic error message.

The vulnerability affects the "message.php" script. In detail, this page uses the 
JavaScript property "location.search" in order to create a contextual error message.
If the error ID provided in the URL does not match any valid code, a generic error 
is reported ("An unknown error (%INVALID_CODE%) occurred") instead. 

In the first versions of the HP System Management Homepage (probably <= 2.1.1) there
is a client-side only input validation:

<--- cut here --->
// handle possible active content in the pieces of the query string
   for(i=0; i<splitquery.length; i++)
   {
      splitquery[i] = unescape(splitquery[i]);
      splitquery[i] = splitquery[i].replace("\<script\>", "");
      splitquery[i] = splitquery[i].replace("\<\/script\>", "");
   }
<--- cut here --->

As you can see, the validation is obviously prone to fail.
Since it is not performed a global matching but just the first occurrence is replaced, 
it is trivial to bypass this control and successfully exploit the flaw.
Moreover we have to remember that multiple attack vectors without the HTML "SCRIPT" tag
exist in this situation.

In the second generation (for sure, after the version 2.1.4), finally a server side
validation was introduced. Unfortunately a simple NULL byte (%00) is enough
to bypass this checkpoint and provides the "location.search" as in the previous
vulnerable versions.
The version 2.1.11 is patched against this vulnerability.

The server side validation introduced in the second generation appears to be a black-list
based filter. All HTML tags tested were blocked by the filter. However the '<BGSOUND>' tag
has not been included in the black-list and it bypasses the server-side validation.
As reported by Rsnake in his XSS Cheat Sheet,'<BGSOUND>' tag is a valid attack vector in 
certain versions of Opera.

The latest version (2.1.12) has not yet been tested for this vector. Since only Opera
users are likely to be affected, the associated risk is relatively low.

=====================================================================================
[Vulnerable Versions] 

According to our analysis, this is probably the most comprehensive list: 

HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7 (TESTED for 2nd, 3rd vector)
HP System Management Homepage 2.1.6
HP System Management Homepage 2.1.5 (TESTED for 2nd, 3rd vector)
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2 (TESTED for 1st vector)
HP System Management Homepage 2.0.1 (TESTED for 1st vector)
HP System Management Homepage 2.0
HP HP-UX B.11.31
HP HP-UX B.11.23
HP HP-UX B.11.11

HP System Management Homepage 2.1.11 
HP System Management Homepage 2.1.12 are NOT vulnerable using the 1st and 2nd vector.

=====================================================================================
[Exploit]

1st vector)
https://<IP>:2381/message.php?<script><script>alert('xss')</script></script>

2nd vector)
https://<IP>:2381/message.php?aa%00<script><script>alert('xss')</script></script>

3rd vector)
https://<IP>:2381/message.php?aa<BGSOUND SRC="javascript:alert('XSS');">

=====================================================================================
[Credits] 

Luca Carettoni (luca.carettoni[at]ikkisoft[dot]com) - http://www.ikkisoft.com/
Claudio Criscione (claudio[at]criscio[dot]net) - http://www.oversighting.com/
Lavakumar Kuppan (lavakumark[at]gmail[dot]com) - http://www.lavakumar.com/

=====================================================================================