Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Endeca Latitude Cross-Site Scripting

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Endeca Latitude. By exploiting this vulnerability an attacker is able to execute arbitrary JavaScript code in the context of other Endeca Latitude users.

Details

  • Product: Endeca Latitude
  • Affected Versions: 2.2.2, potentially others
  • Fixed Versions: N/A
  • Vulnerability Type: Cross-Site Scripting
  • Security Risk: high
  • Vendor URL: N/A
  • Vendor Status: decided not to fix
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003
  • Advisory Status: published
  • CVE: CVE-2014-2400
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400

Introduction

Endeca Latitude is an enterprise data discovery platform for advanced, yet intuitive, exploration and analysis of complex and varied data. Information is loaded from disparate source systems and stored in a faceted data model that dynamically supports changing data. This integrated and enriched data is made available for search, discovery, and analysis via interactive and configurable applications.

(from the vendor’s homepage)

More Details

Endeca Latitude offers administrators to trigger different functions by using the following two URLs (see http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/cadm_url_about_admin_urls.html):

  • http://example.com/config?op=<supported-operation>
  • http://example.com/admin?op=<supported-operation>

When accessing such an URL which uses an invalid value for the HTTP GET parameter “op”, such as http://example.com/config?op=RedTeam%20Pentesting, an error message is shown by the webapplication and the invalid value is directly embedded into the document without prior escaping, which leads to a Cross-Site Scripting vulnerability.

Proof of Concept

As shown by the following URL, an attacker is able to embed arbitrary JavaScript code into the context of the Endeca Latitude instance:

http://example.com/config?op=<script>alert(‘RedTeam Pentesting’);</script>

Workaround

The vendor did not update the vulnerable software, but recommends to configure all installations to require mutual authentication using TLS certificates for both servers and clients, while discouraging users from installing said client certificates in browsers.

Fix

Not available. The vendor did not update the vulnerable software to remedy this issue.

Security Risk

The vulnerability can be used to embed arbitrary JavaScript code and therefore offers a wide range of possible attacks such as stealing cookies or displaying a fake login form. Furthermore, an attacker can use this vulnerability to control the Endeca Latitude instance by using the API implemented by its web service (see http://docs.oracle.com/cd/E29220_01/index.htm). The risk of this vulnerability is therefore considered to be high.

Timeline

  • 2013-10-06 Vulnerability identified
  • 2013-10-08 Customer approved disclosure to vendor
  • 2013-10-15 Vendor notified
  • 2013-10-17 Vendor responded that investigation/fixing is in progress
  • 2014-02-24 Vendor responded that bug is fixed and scheduled for a future
    CPU
  • 2014-03-13 Vendor responded with additional information about a
    potential workaround
  • 2014-04-15 Vendor releases Critical Patch Update Advisory with little
    information on the proposed fix
  • 2014-04-16 More information requested from vendor
  • 2014-05-02 Vendor responds with updated information
  • 2014-06-25 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.