Core Security Technologies Discovers Classic Web Application Vulnerabilities in SUN Java System Communications

CORE SECURITY TECHNOLOGIES DISCOVERS CLASSIC WEB APPLICATION VULNERABILITies in sun java system communications express

Security Testing Leader and Vendor Coordinate Efforts

to Protect Users from Critical Cross-Site Scripting Issue

BOSTON, MA – May 20, 2009 – Core Security Technologies, provider of CORE IMPACT solutions for comprehensive enterprise security testing, has issued an advisory disclosing critical vulnerabilities that could affect large numbers of end users and organizations using Sun’s Java System Communications Express Web-based communications and collaboration application.

Core Security Technologies consultants working with CoreLabs, the research arm of Core Security, unearthed multiple vulnerabilities in Sun’s Java System Communications Express, a remote access element of Sun’s Java Communications Suite, which, if leveraged, could allow attackers to target users of the application through exploitation of cross-site scripting (XSS) bugs.

Upon making the discoveries, CoreLabs immediately alerted the Sun Security Coordination Team to the vulnerabilities and the two companies have since synchronized efforts to ensure that patches could be created and made available to protect users of the program.

“Cross-Site Scripting bugs are popular among attackers attempting to coax Web applications into providing control of end users’ Web browsers to carry out a wide range of malicious schemes,” said Ivan Arce, CTO of Core Security Technologies. “It is very important that organizations take the necessary steps to ensure that the applications they build or license from third parties are not susceptible to these types of exploits.”

Sun’s Java System Communications Express is aimed primarily at organizations seeking to offer their users remote access to browser-based email, calendaring and task management.

The XSS issues uncovered in Java System Communications Express reside in the product’s personal address book and another URL and were initially discovered and researched by the Security Consulting Services team from Core Security Technologies.

Vulnerability Details

Sun Java System Communications Express

CoreLabs security researchers found multiple XSS vulnerabilities in Java System Communications Express, specifically in two individual URLs. Cross-site scripting (XSS) vulnerabilities allow an attacker to execute arbitrary scripting code in the context of the user browser (in the vulnerable application’s domain). For example, an attacker could exploit an XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or redirect them to a fake page requesting information from the user (i.e. credentials). This vulnerability occurs when user-supplied data is displayed without encoding.

In the case of the first XSS vulnerability, resident in the product’s Personal Address Book “add contact” functionality, the affected URL is originally accessed thru a POST request, and the flaw can be exploited both with a GET and with a POST request. The contents of the variables involved in a potential attack are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code.

In the second vulnerability, the contents of the URL are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. This vulnerability can be exploited through a GET request, and the user does not need to be logged into the web application. This makes this XSS vulnerability particularly open to email-based attacks through which an attacker could send a link to a ‘calendar’ and ‘exploit’ the victim.

For more information on this vulnerability, please view the CORE-2009-0109 Security Advisory at:

http://www.coresecurity.com/content/sun-communications-express

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. It conducts its research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Its results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

About Core Security Technologies

Core Security Technologies is the leader in comprehensive security testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.

Contacts:

Tim Whitman or Justin Drake

Schwartz Communications

781 684-0770

coresecurity@schwartz-pr.com

Wed, May 20