#SIAADV-07-005 - Secureideas BASE Cross Site Scripting -------------------------------------------------------------------------- Autor: Daniel Medianero garcía ( dmedianero @ sia.es ) Vendor: BASE - http://base.secureideas.net/ Impact: Cross Site Scripting URL: http://www.514.es Affected applications: ---------------------- - Basic Analysis and Security Engine Affected versions: ------------------ - BASE 1.3.8(jodie) Affected Operating systems: --------------------------- - Cross-platform (Web Application written in php) Unaffected versions: ----------------------- - Equal or greater than BASE 1.3.9 (anne) Product overview: ----------------- BASE (http://sourceforge.net/projects/secureideas/) is an interface Web management alerts IDS Snort, written in Php and supports various BBDD, including MySQL, Postgree, etc.. It is the most widely used product to see / classify Snort alerts. Its origin is already history ACID (Analysis Control Intrusion Detection). Vulnerability Description: --------------------------- Multiple vulnerabilities have been identified in Basic Analysis and Security Engine (BASE), which could be exploited by attackers to execute arbitrary scripting code. These issues are caused by input validation errors in the "base_qry_main.php" script when processing the "sig[0]" and "sig[1]" parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site. Technical Details: ------------------ The exploitation of these vulnerabilities can be done Tampering of the mentioned parameters and changing its value by some vector XSS attack like this: ';!--"< Script> alert (document.cookie); Solution: --------- - Upgrade the software to the latest version available by the manufacturer (now v1.3.9) Timeline: --------- 24/09/2007 - Vulnerability discovered First-notification Secureideas - Secureideas sought more extensive information - Proporciono such information and opens the bug in Bugtrack # 1801192 13/10/2007 - Secureideas attached to bug a high priority (9) 20/11/2007 - Secureideas reports that the bug has been fixed. - Published version 1.3.9 (anne) 28/11/2007 - The bug is published by the FSIRT (FrSIRT/ADV-2007-4021)