Caucho Resin UTF-7 Cross-Site Scripting Vulnerability
-----------------------------------------------------

BugSec | Security Advisory
Moshe Ben-Abu | Security Expert
 

Vendor
------
Caucho Technology, Inc. - http://www.caucho.com


Application Description
-----------------------
“Resin is a leading high performance, scalable Java/PHP application server 
that is deployed by over 7,000 organizations worldwide including Fortune 
500 companies and many of the highest traffic sites of the Internet.” - 
From Caucho website.


Vulnerability Information
-------------------------
Remotely exploitable: Yes 
Locally exploitable: No 
Affected versions:
 - Caucho Resin 3.2 (s080510)
 - Caucho Resin Professional 3.0.22
Other versions may also be affected.


Vulnerability Details
---------------------
An input validation problem exists within Caucho Resin which allows 
execution of arbitrary client-side code resulting in a cross-site 
scripting vulnerability. This vulnerability is possible because the 
application fails to validate user input when generating HTTP error pages. 
In addition, when generating HTTP error pages the application doesn’t 
specific the error pages charset (in a HTTP Content-Type header or a HTML 
META tag), therefore allows some browsers to automatically detect the page 
charset type (additional information below). An attacker may leverage this 
to trick browsers to auto-detect the page charset type as UTF-7 encoded 
page and executing UTF-7 encoded client-side code.



Proof-of-Concept
----------------

GET HTTP request generating 404 error page with Javascript code:

http://server/+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4- 


Server response 

HTTP/1.1 404 Not Found 
Server: Resin/3.2.s080828 
Content-Type: text/html 
Date: Wed, 24 Sep 2008 23:25:02 GMT 
Content-Length: 1070

<html> 
<head><title>404 Not Found</title></head> 
<body> 
<h1>404 Not Found</h1> 
/+ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4- was not found on this 
server. 
<p /><hr /> 
<small> Resin/3.2.s080828 </small> 
</body></html>


 
It has been found that this vulnerability consists on Caucho Resin 404 and 500 
HTTP error pages. Other error pages may also be affected. An attacker may 
leverage cross-site scripting vulnerability to have arbitrary script code 
executed in the browser of an unsuspecting user in the context of the affected 
site. This may facilitate the theft of cookie-based authentication credentials 
as well as other attacks.


Exploiting UTF-7 cross-site scripting vulnerabilities 
-----------------------------------------------------
It is possible to exploit UTF-7 cross-site scripting vulnerabilities only on 
browsers that violate the RFC 2616 [1] specification. 
From RFC 2616, 3.7.1 Canonicalization and Text Defaults: 

“The "charset" parameter is used with some media types to define the character 
set (section 3.4) of the data. When no explicit charset parameter is provided by 
the sender, media subtypes of the "text" type are defined to have a default 
charset value of "ISO-8859-1" when received via HTTP. Data in character sets 
other than "ISO-8859-1" or its subsets MUST be labeled with an appropriate 
charset value. See section 3.4.1 for compatibility problems.” 

Based on Stefan Esser security advisory [2], BID 29112 [3] and BugSec security 
team research, the following browsers are affected by this issue:
 - Microsoft Internet Explorer 7
 - Mozilla Firefox 2.0.0.1 and below
 - Opera 9.19 and below [4]

Immune browsers:
 - Microsoft Internet Explorer 6
 - Opera 8

 
Security Analysis
-----------------

Discovery
---------
Moshe Ben-Abu
BugSec LTD. - Security Consulting Company
http://www.bugsec.com


Disclosure Timeline
-------------------
25/09/2008 – BugSec Security Team notifies Caucho Technology about a 
vulnerability discovered in Resin. 
25/09/2008 – Vendor acknowledges notification and requesting further details. 
25/09/2008 – BugSec Security Team sends an advisory draft containing 
technical details and Proof of Concept code for the vulnerability. 
02/10/2008 – Caucho Technology release Caucho Resin 3.2.1, vulnerability is 
fixed. 
05/10/2008 – Advisory released.


About BugSec LTD.
-----------------
BugSec Services provide IT & Application Security services for large
scaled organizations.
Among services; Penetration Testing, Risk Assessments, Secure Code
Development and Guidance.

BugSec Solutions develops innovative products and tools which gives
focused solution to systems data security
issues, such as Web Application Security, Secure coding and
Anti-Phishing solution.



References
----------
[1] Hypertext Transfer Protocol -- HTTP/1.1 – RFC 2616,
http://www.ietf.org/rfc/rfc2616.txt 
[2] “Multiple Browsers Cross Domain Charset Inheritance Vulnerability” by Stefan Esser,
http://www.hardened-php.net/advisory_032007.142.html 
[3] “Microsoft Internet Explorer UTF-7 HTTP Response Handling Weakness” by Yaniv Miron and Yossi Yakubov,
http://www.securityfocus.com/bid/29112/ 
[4] “Character Encoding Inheritance in iframes Can Enable Cross-Site Scripting” – Opera Software,
http://www.opera.com/support/search/view/855/