You are here

T-602: BlackBerry Enterprise Server Input Validation Flaw in BlackBerry Web Desktop Manager Permits Cross-Site Scripting Attacks

April 14, 2011 - 5:07am

Addthis

PROBLEM:

BlackBerry Enterprise Server Input Validation Flaw in BlackBerry Web Desktop Manager Permits Cross-Site Scripting Attacks

PLATFORM:

BlackBerry Enterprise Server Express versions 5.0.1 and 5.0.2 for Microsoft Exchange, 5.0.2 for IBM Lotus Domino, 5.0.0 through 5.0.3 for Microsoft Exchange and IBM Lotus Domino, and version 5.0.1 for Novell GroupWise. OS Platform(s): Windows (2000), Windows (2003), Windows (2008)
ABSTRACT:

The BlackBerry Web Desktop Manager not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the BlackBerry Web Desktop Manager software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

reference  LINKS:

CYBSEC Advisory 2011 0401 Cross-Site Scripting (XSS) in Blackberry WebDesktop
BlackBerry Web Desktop Manager Reference
Research In Motion (RIM) Reference Link

IMPACT ASSESSMENT:

High

Discussion:

The vulnerability could allow an attacker to execute externally supplied scripts using the user privileges of the BlackBerry Web Desktop Manager. This could allow the attacker to perform any BlackBerry Web Desktop Manager task that the legitimate user could perform on a BlackBerry smartphone while the user is logged in to the BlackBerry Web Desktop Manager. Such tasks include remotely resetting the device password and locking the device, remotely wiping and disabling the device, and activating the user's account on another device over the wireless network. Successful exploitation of this issue requires an attacker to persuade the legitimate user to click a specially crafted URL. The URL that the attacker persuades the legitimate user to click may be in a web browser or an email or instant message.

Solution:

As a best practice, RIM recommends that access to administrative functions of the BlackBerry Enterprise Server, including BlackBerry Web Desktop Manager, be allowed only from trusted networks or specific hosts. Refer to the documentation for your web browser to learn about potential mitigation of cross-site scripting vulnerabilities.
The following released versions of the BlackBerry Enterprise Server resolve this issue: BlackBerry Enterprise Server version 5.0.3 MR1 for Microsoft Exchange and IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.3 MR1.
BlackBerry Enterprise Server version 5.0.2 MR5 for Microsoft Exchange
* Visit http://www.blackberry.com/go/serverdownloads to obtain BlackBerry Enterprise Server version 5.0.2 MR5.
RIM has issued the following interim security software updates that resolve the vulnerability in affected versions of the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. For BlackBerry Enterprise Server version 5.0.2 for IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011.
For BlackBerry Enterprise Server version 5.0.1 for Microsoft Exchange, IBM Lotus Domino, and Novell GroupWise
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011.
For BlackBerry Enterprise Server Express version 5.0.2 for Microsoft Exchange and IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011
For BlackBerry Enterprise Server Express version 5.0.1 for Microsoft Exchange
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Software Update for April 12, 2011.
If you are using a software version that is not listed above, update to one of the listed versions to apply the upgrade.
 

Addthis