2009-0001
WebWorks.com Security Advisory 2009-0001
WebWorks.com Security Advisory 2009-0001 ======================================== Topic: WebWorks Help - Cross-site scripting vulnerability Severity: Allows theft of credentials associated with a network domain ID: CVE-2009-3731 Alternate IDs: WWSA-2009-0001 SS-09-001 VMSA-2009-0017 Related Advisories: VMware and WebWorks XSS http://www.stratsec.net/files/SS-09-001-Stratsec-VMWare%20WebWorks%20XSS%20Advisory%20v1.0.pdf stratsec Releases VMWare Advisory; Recruits Leading Security Researcher http://www.stratsec.net/files/stratsec-VM%20Ware%20Vulnerability_MR_161209_1%200.pdf VMware vCenter, ESX patch and vCenter Lab Manager releases address cross-site scripting issues http://www.vmware.com/security/advisories/VMSA-2009-0017.html Versions Affected: * ePublisher 2009.2 - WebWorks Help 5.0 * ePublisher 2009.1 - WebWorks Help 5.0 * ePublisher 2008.4 - WebWorks Help 5.0 * ePublisher 2008.3 - WebWorks Help 5.0 * ePublisher 2008.2 - WebWorks Help 5.0 * ePublisher 2008.1 - WebWorks Help 5.0 * ePublisher 9.3 - WebWorks Help 5.0 * ePublisher 9.2.* - WebWorks Help 5.0 * ePublisher 9.1.* - WebWorks Help 5.0 * ePublisher 9.0.* - WebWorks Help 5.0 * WebWorks Publisher 8.* (includes Publisher 2003), WebWorks Help 4.0 * WebWorks Publisher 7.*, WebWorks Help 3.0 * WebWorks Publisher 6.*, WebWorks Help 2.0 Fixed: * ePublisher 2009.3: November 17, 2009 (except legacy formats) * ePublisher 2009.2: December 3, 2009 * ePublisher 2009.1: December 3, 2009 * ePublisher 2008.4: December 3, 2009 * ePublisher 2008.3: December 3, 2009 * ePublisher 2008.2: December 3, 2009 * ePublisher 2008.1: December 3, 2009 * ePublisher 9.3: December 3, 2009 Please note that ePublisher releases prior to version 9.3 are no longer supported (EOLed as of May 4, 2009). It is recommended that all users upgrade to a supported release. ePublisher Release History and Status http://www.webworks.com/Support/ePublisher/Version_History/ Abstract ======== WebWorks Help may be deployed to users either via file system access or web access. This security issue only applies to cases where WebWorks Help has been deployed for web access and the web server is configured to make use of non-public (client specific) information. The WebWorks Help JavaScript runtime will accept and process untrusted input strings. As a result, malicious web sites may access cookies or execute JavaScript code against a target site should a user first authenticate (if required) to the target site and then browse to the malicious site. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731 http://www.webworks.com/Security/2009-0001/ Technical Details ================= The identified vulnerabilities are classified as "DOM-Based" cross-site scripting attacks. The source of this issue relates to JavaScript code accepting and processing input from untrusted sources. These input strings come from context-senstive URL parameters and localized messages used to present topic links for bookmarking purposes. Insufficient escaping of URL parameters occurs in 4 files: * Entry file, usually index.html (based upon wwhelp_entry.html) * wwhsec.htm (if present, based upon wwhelp_entry.html) * wwhelp\wwhimpl\api.htm * wwhelp\wwhimpl\common\html\frameset.htm * wwhelp\wwhimpl\common\scripts\switch.js Use of JavaScript's "window.opener" accessor results in vulnerabilities in 1 file: * wwhelp\wwhimpl\common\html\bookmark.htm This vulnerability depends upon the file's contents. The bookmark feature itself need not be enabled to be used as an attack vector. Client-side protection measures included with current browsers are not always able to prevent these attacks from being executed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731 http://www.webworks.com/Security/2009-0001/ Solutions and Workarounds for New Help Sets =========================================== This issue can be remedied by patching files to address both the URL parsing vulnerability as well as the related "window.opener" issue. Each remediation archive includes updated files and change set reports to assist users who make use of custom files. NOTE: Applying these files results in the lost of WebWorks Help's bookmark feature. However, this feature has been disabled by default for some time due to decreased functionality resulting from continual browser security improvements. * ePublisher 2009.3 1. Download the remediation archive for ePublisher 2009.3: ePublisher 2009.3: http://www.webworks.com/Security/2009-0001/ePublisher%202009.3.zip 2. Unzip the archive and copy files found in each version specific directory, e.g. "9.3\Formats\WebWorks Help 5.0\" into the corresponding location in your program files area. ePublisher Designer (Pro): C:\Program Files\WebWorks\ePublisher\<version>\Formats\WebWorks Help 5.0 4. If necessary, the patch files may need to be copied into your active Pro (Design) projects if the user has created customization overrides for those files. 5. Update any related ePublisher Stationery. 6. Re-synch all ePublisher Express projects with the updated Stationery. * ePublisher 9.3, 2008.1-4, 2009.1-2 1. Determine your current ePublisher version. 2. Download the appropriate remediation archive. ePublisher 2009.2: http://www.webworks.com/Security/2009-0001/ePublisher%202009.2.zip ePublisher 2009.1: http://www.webworks.com/Security/2009-0001/ePublisher%202009.1.zip ePublisher 2008.4: http://www.webworks.com/Security/2009-0001/ePublisher%202008.4.zip ePublisher 2008.3: http://www.webworks.com/Security/2009-0001/ePublisher%202008.3.zip ePublisher 2008.2: http://www.webworks.com/Security/2009-0001/ePublisher%202008.2.zip ePublisher 2008.1: http://www.webworks.com/Security/2009-0001/ePublisher%202008.1.zip ePublisher 9.3: http://www.webworks.com/Security/2009-0001/ePublisher%209.3.zip 3. Unzip the archive and copy files found in "Formats\WebWorks Help 5.0\" into the corresponding location in your program files area. ePublisher Pro: C:\Program Files\WebWorks\ePublisher Pro\Formats\WebWorks Help 5.0 ePublisher AutoMap: C:\Program Files\WebWorks\ePublisher AutoMap\Formats\WebWorks Help 5.0 4. If necessary, the patch files may need to be copied into your active Pro (Design) projects if the user has created customization overrides for those files. 5. Update any related ePublisher Stationery. 6. Re-synch all ePublisher Express projects with the updated Stationery. Solutions and Workarounds for Deployed Help Sets ================================================ It is possible to patch deployed help sets using information provided in the remediation archives. The affected files are generally not customized by end-users, with the exception of "controls.js". Therefore, determining your deployed WebWorks Help version should assist you in selecting the appropriate replacement files. Updating the required files will address both the URL parsing vulnerability as well as the related "window.opener" issue. Each patch archive includes updated files and change set reports to assist users who make use of custom files. NOTE: Applying these files results in the lost of WebWorks Help's bookmark feature. However, this feature has been disabled by default for some time due to decreased functionality resulting from continual browser security improvements. * ePublisher 9.2.2, 9.3, 2008.1-4, 2009.1-2 1. Determine your deployed WebWorks Help version. You may compare your deployed files against the original versions included in the following archive: http://www.webworks.com/Security/2009-0001/ePublisher%20Originals.zip 2. Download the appropriate remediation archive. ePublisher 2009.2: http://www.webworks.com/Security/2009-0001/ePublisher%202009.2.zip ePublisher 2009.1: http://www.webworks.com/Security/2009-0001/ePublisher%202009.1.zip ePublisher 2008.4: http://www.webworks.com/Security/2009-0001/ePublisher%202008.4.zip ePublisher 2008.3: http://www.webworks.com/Security/2009-0001/ePublisher%202008.3.zip ePublisher 2008.2: http://www.webworks.com/Security/2009-0001/ePublisher%202008.2.zip ePublisher 2008.1: http://www.webworks.com/Security/2009-0001/ePublisher%202008.1.zip ePublisher 9.3: http://www.webworks.com/Security/2009-0001/ePublisher%209.3.zip ePublisher 9.2.2: http://www.webworks.com/Security/2009-0001/ePublisher%202009.3.zip 3. Unzip the archive and copy files found in "Formats\WebWorks Help 5.0\" into the corresponding locations in your deployed help sets. * wwhelp\wwhimpl\api.htm * wwhelp\wwhimpl\common\html\bookmark.htm * wwhelp\wwhimpl\common\html\frameset.htm * wwhelp\wwhimpl\common\scripts\switch.js 4. Entry point files will also need to be updated, though their names can be customed by end users. Therefore, you will need to determine the entry point file name used by your deployed help sets. * Entry file, usually index.html Copy from Transforms\wwhelp_entry.html * wwhsec.htm (if present) Copy from Transforms\wwhelp_entry.html 5. Finally, to avoid run-time issues with the bookmark feature, users can optionally update "controls.js". This file update is optional in that if the feature is not enabled, it is safe to leave the code in place. This may be appropriate for users who have customized "controls.js" with additional toolbar buttons, etc. * wwhelp\wwhimpl\common\scripts\controls.js Thanks To ========= Daniel Grzelak and Alex Kouzemtchenko of stratsec (www.stratsec.net) for finding and reporting the issue. Monty Ijzerman and Teresa Velasco from VMware (www.vmware.com) for coordinating and validating resolutions made by stratsec and WebWorks.com. Revision History ================ 2009-12-16 Added links to public stratset and VMware advisories. 2009-12-15 Linked to VMware notice on the VMware security mailing list. 2009-12-09 Provided original versions of all affected files for comparison to deployed help files. 2009-12-04 Created a solution for patching deployed WebWorks Help instead of requiring content regeneration by ePublisher. 2009-12-03 Initial release.
