2009-0001

WebWorks.com Security Advisory 2009-0001

WebWorks.com Security Advisory 2009-0001
========================================

Topic:
  WebWorks Help - Cross-site scripting vulnerability

Severity:
  Allows theft of credentials associated with a network domain

ID:
  CVE-2009-3731

Alternate IDs:
  WWSA-2009-0001
  SS-09-001
  VMSA-2009-0017

Related Advisories:
  VMware and WebWorks XSS
  http://www.stratsec.net/files/SS-09-001-Stratsec-VMWare%20WebWorks%20XSS%20Advisory%20v1.0.pdf

  stratsec Releases VMWare Advisory;
  Recruits Leading Security Researcher
  http://www.stratsec.net/files/stratsec-VM%20Ware%20Vulnerability_MR_161209_1%200.pdf

  VMware vCenter, ESX patch and vCenter Lab Manager releases
  address cross-site scripting issues
  http://www.vmware.com/security/advisories/VMSA-2009-0017.html

Versions Affected:
 * ePublisher 2009.2 - WebWorks Help 5.0
 * ePublisher 2009.1 - WebWorks Help 5.0
 * ePublisher 2008.4 - WebWorks Help 5.0
 * ePublisher 2008.3 - WebWorks Help 5.0
 * ePublisher 2008.2 - WebWorks Help 5.0
 * ePublisher 2008.1 - WebWorks Help 5.0
 * ePublisher 9.3 - WebWorks Help 5.0
 * ePublisher 9.2.* - WebWorks Help 5.0
 * ePublisher 9.1.* - WebWorks Help 5.0
 * ePublisher 9.0.* - WebWorks Help 5.0
 * WebWorks Publisher 8.* (includes Publisher 2003), WebWorks Help 4.0
 * WebWorks Publisher 7.*, WebWorks Help 3.0
 * WebWorks Publisher 6.*, WebWorks Help 2.0

Fixed:
 * ePublisher 2009.3: November 17, 2009 (except legacy formats)
 * ePublisher 2009.2: December 3, 2009
 * ePublisher 2009.1: December 3, 2009
 * ePublisher 2008.4: December 3, 2009
 * ePublisher 2008.3: December 3, 2009
 * ePublisher 2008.2: December 3, 2009
 * ePublisher 2008.1: December 3, 2009
 * ePublisher 9.3: December 3, 2009

Please note that ePublisher releases prior to version 9.3 are no
longer supported (EOLed as of May 4, 2009).  It is recommended
that all users upgrade to a supported release.

ePublisher Release History and Status
http://www.webworks.com/Support/ePublisher/Version_History/


Abstract
========

WebWorks Help may be deployed to users either via file system access
or web access.  This security issue only applies to cases where WebWorks
Help has been deployed for web access and the web server is configured
to make use of non-public (client specific) information.

The WebWorks Help JavaScript runtime will accept and process untrusted
input strings.  As a result, malicious web sites may access cookies
or execute JavaScript code against a target site should a user first
authenticate (if required) to the target site and then browse to the
malicious site.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731
http://www.webworks.com/Security/2009-0001/


Technical Details
=================

The identified vulnerabilities are classified as "DOM-Based" cross-site
scripting attacks.  The source of this issue relates to JavaScript code
accepting and processing input from untrusted sources.  These input
strings come from context-senstive URL parameters and localized messages
used to present topic links for bookmarking purposes.

Insufficient escaping of URL parameters occurs in 4 files:

 * Entry file, usually index.html (based upon wwhelp_entry.html)
 * wwhsec.htm (if present, based upon wwhelp_entry.html)
 * wwhelp\wwhimpl\api.htm
 * wwhelp\wwhimpl\common\html\frameset.htm
 * wwhelp\wwhimpl\common\scripts\switch.js

Use of JavaScript's "window.opener" accessor results in vulnerabilities
in 1 file:

 * wwhelp\wwhimpl\common\html\bookmark.htm

This vulnerability depends upon the file's contents.  The bookmark
feature itself need not be enabled to be used as an attack vector.

Client-side protection measures included with current browsers are not
always able to prevent these attacks from being executed.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731
http://www.webworks.com/Security/2009-0001/


Solutions and Workarounds for New Help Sets
===========================================

This issue can be remedied by patching files to address both the URL
parsing vulnerability as well as the related "window.opener" issue.
Each remediation archive includes updated files and change set reports
to assist users who make use of custom files.

NOTE: Applying these files results in the lost of WebWorks Help's
      bookmark feature.  However, this feature has been disabled by
      default for some time due to decreased functionality resulting
      from continual browser security improvements.

* ePublisher 2009.3

 1. Download the remediation archive for ePublisher 2009.3:

    ePublisher 2009.3:
      http://www.webworks.com/Security/2009-0001/ePublisher%202009.3.zip

 2. Unzip the archive and copy files found in each version specific directory,
    e.g. "9.3\Formats\WebWorks Help 5.0\"
    into the corresponding location in your program files area.
    
    ePublisher Designer (Pro):
      C:\Program Files\WebWorks\ePublisher\<version>\Formats\WebWorks Help 5.0

 4. If necessary, the patch files may need to be copied into your
    active Pro (Design) projects if the user has created customization
    overrides for those files.

 5. Update any related ePublisher Stationery.

 6. Re-synch all ePublisher Express projects with the updated Stationery.

* ePublisher 9.3, 2008.1-4, 2009.1-2

 1. Determine your current ePublisher version.

 2. Download the appropriate remediation archive.

    ePublisher 2009.2:
      http://www.webworks.com/Security/2009-0001/ePublisher%202009.2.zip

    ePublisher 2009.1:
      http://www.webworks.com/Security/2009-0001/ePublisher%202009.1.zip

    ePublisher 2008.4:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.4.zip

    ePublisher 2008.3:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.3.zip

    ePublisher 2008.2:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.2.zip

    ePublisher 2008.1:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.1.zip

    ePublisher 9.3:
      http://www.webworks.com/Security/2009-0001/ePublisher%209.3.zip

 3. Unzip the archive and copy files found in "Formats\WebWorks Help 5.0\"
    into the corresponding location in your program files area.
    
    ePublisher Pro:
      C:\Program Files\WebWorks\ePublisher Pro\Formats\WebWorks Help 5.0

    ePublisher AutoMap:
      C:\Program Files\WebWorks\ePublisher AutoMap\Formats\WebWorks Help 5.0

 4. If necessary, the patch files may need to be copied into your
    active Pro (Design) projects if the user has created customization
    overrides for those files.

 5. Update any related ePublisher Stationery.

 6. Re-synch all ePublisher Express projects with the updated Stationery.


Solutions and Workarounds for Deployed Help Sets
================================================

It is possible to patch deployed help sets using information provided
in the remediation archives.  The affected files are generally not
customized by end-users, with the exception of "controls.js".
Therefore, determining your deployed WebWorks Help version should
assist you in selecting the appropriate replacement files.

Updating the required files will address both the URL parsing
vulnerability as well as the related "window.opener" issue. Each patch
archive includes updated files and change set reports to assist users
who make use of custom files.

NOTE: Applying these files results in the lost of WebWorks Help's
      bookmark feature.  However, this feature has been disabled by
      default for some time due to decreased functionality resulting
      from continual browser security improvements.

* ePublisher 9.2.2, 9.3, 2008.1-4, 2009.1-2

 1. Determine your deployed WebWorks Help version.

    You may compare your deployed files against the original versions
    included in the following archive:

      http://www.webworks.com/Security/2009-0001/ePublisher%20Originals.zip

 2. Download the appropriate remediation archive.

    ePublisher 2009.2:
      http://www.webworks.com/Security/2009-0001/ePublisher%202009.2.zip

    ePublisher 2009.1:
      http://www.webworks.com/Security/2009-0001/ePublisher%202009.1.zip

    ePublisher 2008.4:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.4.zip

    ePublisher 2008.3:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.3.zip

    ePublisher 2008.2:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.2.zip

    ePublisher 2008.1:
      http://www.webworks.com/Security/2009-0001/ePublisher%202008.1.zip

    ePublisher 9.3:
      http://www.webworks.com/Security/2009-0001/ePublisher%209.3.zip

    ePublisher 9.2.2:
      http://www.webworks.com/Security/2009-0001/ePublisher%202009.3.zip

 3. Unzip the archive and copy files found in "Formats\WebWorks Help 5.0\"
    into the corresponding locations in your deployed help sets.

    * wwhelp\wwhimpl\api.htm
    * wwhelp\wwhimpl\common\html\bookmark.htm
    * wwhelp\wwhimpl\common\html\frameset.htm
    * wwhelp\wwhimpl\common\scripts\switch.js

 4. Entry point files will also need to be updated, though their names
    can be customed by end users.  Therefore, you will need to determine
    the entry point file name used by your deployed help sets.

    * Entry file, usually index.html
      Copy from Transforms\wwhelp_entry.html

    * wwhsec.htm (if present)
      Copy from Transforms\wwhelp_entry.html

 5. Finally, to avoid run-time issues with the bookmark feature, users
    can optionally update "controls.js".  This file update is optional
    in that if the feature is not enabled, it is safe to leave the code
    in place.  This may be appropriate for users who have customized
    "controls.js" with additional toolbar buttons, etc.

    * wwhelp\wwhimpl\common\scripts\controls.js


Thanks To
=========

Daniel Grzelak and Alex Kouzemtchenko of stratsec (www.stratsec.net) for
finding and reporting the issue.

Monty Ijzerman and Teresa Velasco from VMware (www.vmware.com) for
coordinating and validating resolutions made by stratsec and WebWorks.com.


Revision History
================

2009-12-16  Added links to public stratset and VMware advisories.

2009-12-15  Linked to VMware notice on the VMware security mailing
            list.

2009-12-09  Provided original versions of all affected files for
            comparison to deployed help files.

2009-12-04  Created a solution for patching deployed WebWorks Help
            instead of requiring content regeneration by ePublisher.

2009-12-03  Initial release.