skip to navigation. Skip to the content.
> Advisories > rt-sa-2013-003 vertical divider

Endeca Latitude Cross-Site Scripting

RedTeam Pentesting discovered a Cross-Site Scripting (XSS) vulnerability in Endeca Latitude. By exploiting this vulnerability an attacker is able to execute arbitrary JavaScript code in the context of other Endeca Latitude users.


Details
=======

Product: Endeca Latitude
Affected Versions: 2.2.2, potentially others
Fixed Versions: N/A
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: N/A
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-003
Advisory Status: published
CVE:  CVE-2014-2400
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2400


Introduction
============

Endeca Latitude is an enterprise data discovery platform for advanced, yet intuitive, exploration and analysis of complex and varied data. Information is loaded from disparate source systems and stored in a faceted data model that dynamically supports changing data. This integrated and enriched data is made available for search, discovery, and analysis via interactive and configurable applications. 

(from the vendor's homepage)


More Details
============

Endeca Latitude offers administrators to trigger different functions by using the following two URLs (see [1]):

* http://example.com/config?op=<supported-operation>
* http://example.com/admin?op=<supported-operation>

When accessing such an URL which uses an invalid value for the HTTP GET parameter "op", such as
http://example.com/config?op=RedTeam%20Pentesting, an error message is
shown by the webapplication and the invalid value is directly embedded into the document without prior escaping, which leads to a Cross-Site Scripting vulnerability.


Proof of Concept
================

As shown by the following URL, an attacker is able to embed arbitrary JavaScript code into the context of the Endeca Latitude instance:

http://example.com/config?op=<script>alert('RedTeam Pentesting');</script>


Workaround
==========

The vendor did not update the vulnerable software, but recommends to configure all installations to require mutual authentication using TLS certificates for both servers and clients, while discouraging users from installing said client certificates in browsers.


Fix
===

Not available. The vendor did not update the vulnerable software to remedy this issue.


Security Risk
=============

The vulnerability can be used to embed arbitrary JavaScript code and therefore offers a wide range of possible attacks such as stealing cookies or displaying a fake login form. Furthermore, an attacker can use this vulnerability to control the Endeca Latitude instance by using the API implemented by its web service (see [2]). The risk of this vulnerability is therefore considered to be high.


Timeline
========

2013-10-06 Vulnerability identified
2013-10-08 Customer approved disclosure to vendor
2013-10-15 Vendor notified
2013-10-17 Vendor responded that investigation/fixing is in progress
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
CPU
2014-03-13 Vendor responded with additional information about a
potential workaround
2014-04-15 Vendor releases Critical Patch Update Advisory with little
information on the proposed fix
2014-04-16 More information requested from vendor
2014-05-02 Vendor responds with updated information
2014-06-25 Advisory released



References
==========

[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/src/
cadm_url_about_admin_urls.html
[2] http://docs.oracle.com/cd/E29220_01/index.htm


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.