Advisory: Endeca Latitude Cross-Site Scripting RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Endeca Latitude. By exploiting this vulnerability an attacker is able to execute arbitrary JavaScript code in the context of other Endeca Latitude users. Details ======= Product: Endeca Latitude Affected Versions: 2.2.2, potentially others Fixed Versions: N/A Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: N/A Vendor Status: decided not to fix Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003 Advisory Status: published CVE: CVE-2014-2400 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400 Introduction ============ Endeca Latitude is an enterprise data discovery platform for advanced, yet intuitive, exploration and analysis of complex and varied data. Information is loaded from disparate source systems and stored in a faceted data model that dynamically supports changing data. This integrated and enriched data is made available for search, discovery, and analysis via interactive and configurable applications. (from the vendor's homepage) More Details ============ Endeca Latitude offers administrators to trigger different functions by using the following two URLs (see [1]): * http://example.com/config?op= * http://example.com/admin?op= When accessing such an URL which uses an invalid value for the HTTP GET parameter "op", such as http://example.com/config?op=RedTeam%20Pentesting, an error message is shown by the webapplication and the invalid value is directly embedded into the document without prior escaping, which leads to a Cross-Site Scripting vulnerability. Proof of Concept ================ As shown by the following URL, an attacker is able to embed arbitrary JavaScript code into the context of the Endeca Latitude instance: http://example.com/config?op= Workaround ========== The vendor did not update the vulnerable software, but recommends to configure all installations to require mutual authentication using TLS certificates for both servers and clients, while discouraging users from installing said client certificates in browsers. Fix === Not available. The vendor did not update the vulnerable software to remedy this issue. Security Risk ============= The vulnerability can be used to embed arbitrary JavaScript code and therefore offers a wide range of possible attacks such as stealing cookies or displaying a fake login form. Furthermore, an attacker can use this vulnerability to control the Endeca Latitude instance by using the API implemented by its web service (see [2]). The risk of this vulnerability is therefore considered to be high. Timeline ======== 2013-10-06 Vulnerability identified 2013-10-08 Customer approved disclosure to vendor 2013-10-15 Vendor notified 2013-10-17 Vendor responded that investigation/fixing is in progress 2014-02-24 Vendor responded that bug is fixed and scheduled for a future CPU 2014-03-13 Vendor responded with additional information about a potential workaround 2014-04-15 Vendor releases Critical Patch Update Advisory with little information on the proposed fix 2014-04-16 More information requested from vendor 2014-05-02 Vendor responds with updated information 2014-06-25 Advisory released References ========== [1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/ cadm_url_about_admin_urls.html [2] http://docs.oracle.com/cd/E29220_01/index.htm RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.