Advisory: Cross-Site-Scripting (XSS) in tcllib's html::textarea Release Date: 26 February 2015 Last Modified: 26 February 2015 Author: Ben Fuhrmannek [ben.fuhrmannek[at]sektioneins.de]
"The Tcl Library is a kitchen sink of packages across a broad spectrum of things." - Tcl Library Home (http://core.tcl.tk/tcllib/home)
Applications using tcllib's ::html::textarea functions are vulnerable to Cross-Site-Scripting. This function is usually used to programmatically add an HTML <textarea> to the output stream of a CGI script.
No publicly available software has been found to be vulnerable. However it is suspected that many non-public Tcl web applications using the ::html::textarea function are in operation.
HelpDezk -> Version: 1.0.1 Type: Multiple Critical Vulnerabilities Severity: Critical Info Exploit: Different exploits making it possible to take over the website/server
- Arbitrary File Upload - Remote Command Execution - User Information Disclosure
CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Standard Taglibs 1.2.1 The unsupported 1.0.x and 1.1.x versions may also be affected.
Description: When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
Mitigation: Users should upgrade to Apache Standard Taglibs 1.2.3 or later.
This version uses JAXP’s FEATURE_SECURE_PROCESSING to restrict XML processing. Depending on the Java runtime version in use, additional configuration may be required: Java8: External entity access is automatically disabled if a SecurityManager is active. Java7: JAXP properties may need to be used to disable external access. Seehttp://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html Java6 and earlier: A new system property org.apache.taglibs.standard.xml.accessExternalEntity may be used to specify the protocols that can be used to access external entities. This defaults to “all” if no SecurityManager is present and to “” (thereby disabling access) if a SecurityManager is detected.
Vendor & product description: ----------------------------- "Loxone Electronics was founded in 2008. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone."
"The Loxone Smart Home gives the owner full control of every device or task using a wall switch, phone or smart tablet. Control and automte areas such as: Lighting, Climate, Security, Audio/Video, Shading, and event Pool and irrigation systems. Your system will adapt all areas of your home providing complete smart home automation."