Document Title:
===============
PGP Website - Multiple Cross Site Scripting Vulnerabilities



Release Date:
=============
2011-07-16


Vulnerability Laboratory ID (VL-ID):
====================================
95


Product & Service Introduction:
===============================
PGP Corporation is a global leader in email and data encryption software for Enterprise Data Protection. 
Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest 
set of integrated applications for enterprise data security. PGP® platform-enabled applications allow 
organizations to meet current needs and expand as security requirements change for email, laptops, desktops, 
instant messaging, smartphones, network storage, file transfers, automated processes, and backups. PGP® 
encryption solutions have earned a reputation for innovative, standards-based, trusted solutions currently 
used by more than 110,000 enterprises, businesses, and governments worldwide, including 96 percent of the 
Fortune® 100, 74 percent of Fortune® Global 100, 80 percent of the German DAX Index and 71 percent of the 
United Kingdom FTSE 100 Index. Customers depend on PGP solutions as part of a regulatory and audit compliance 
solution, to protect confidential information, secure customer data, and safeguard companies  brands and reputations ...

(Copy of the Vendor Homepage: http://pgp.com/)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple Cross Site Scripting Vulnerabilities on the PGP.Com website.


Vulnerability Disclosure Timeline:
==================================
2011-07-15:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
Multiple client-side cross site scripting vulnerabilities are detected on the PGP main website.
The type of vulnerability allows an attacker to phish accounts & hijack not expired customer sessions.
The vulnerability allows also to force client-side ssl certificate requests as a bypass.

Vulnerable Module(s):
			                   [+] Search Engine Output
			                   [+] adirect - ?cmd= param
			                   [+] Exception-handling


Pictures:
			../pgp.com.png
			../pgp.com2.png
			../pgp.com3.png
			../pgp.com4.png
			../pgp.com5.png


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers on client-side. The scenario requires high user inter action.
For demonstration or reproduce ...

Path: https://eu.store.pgp.com/pgp/en/US/adirect/pgp
Param: ?cmd=

Reference:
https://eu.store.pgp.com/pgp/en/US/adirect/pgp?cmd=>"<INCLUDE OWN SCRIPtCODE HERE!!>&AddToCartProductID=200010
https://eu.store.pgp.com/pgp/en/US/adirect/pgp?cmd=>"<INCLUDE OWN SCRIPtCODE HERE!! scrolling=
"no" scrollbarvisable="no">&AddToCartProductID=200010


Path:  http://www.pgp.com/search?q=
Param: ?q=


Reference:
http://www.pgp.com/search?q=>"<INCLUDE OWN SCRIPtCODE HERE!!>&restrict=newstore&site=
pgp&output=xml_no_dtd&client=pgp&lr=&proxystylesheet=pgp&oe=


Exception-handling exploitation also possible ...

<!-----------------------  START STACK TRACE ------------------------------
com.comergent.api.exception.ICCException: [CMGT_E_INVALID_REQUEST]: ">"<<EXECUTES THE SCRIPTCODE HERE!!! scrolling="no" scrollbarvisable="no"> is not a valid request"
	at com.comergent.api.messageType.MessageTypeObjectFactory.makeException(MessageTypeObjectFactory.java:436)
	at com.comergent.api.messageType.MessageTypeObjectFactory.getMessageType(MessageTypeObjectFactory.java:198)
	at com.comergent.dcm.core.AppExecutionEnv.getMTInstance(AppExecutionEnv.java:200)
	at com.comergent.dcm.core.DispatchServlet.createController(DispatchServlet.java:252)
	at com.comergent.dcm.core.DispatchServlet.doExecute(DispatchServlet.java:428)
	at com.comergent.pgp.dcm.core.PGPDispatchServlet.execute(PGPDispatchServlet.java:59)
	at com.comergent.dcm.core.DispatchServlet.dispatch(DispatchServlet.java:189)
	at com.comergent.dcm.core.DispatchServlet.doGet(DispatchServlet.java:145)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
	at com.comergent.dcm.core.filters.CredentialPropagationFilter.executeFilter(CredentialPropagationFilter.java:57)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
	at com.comergent.dcm.core.filters.AAFilter.executeFilter(AAFilter.java:54)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
	at com.comergent.dcm.core.WrappingFilter.executeFilter(WrappingFilter.java:113)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
	at com.comergent.dcm.core.filters.StatsFilter.executeFilter(StatsFilter.java:38)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
	at com.comergent.dcm.core.filters.RequestControlFilter.executeFilter(RequestControlFilter.java:102)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
	at com.comergent.dcm.core.filters.TimingFilter.executeFilter(TimingFilter.java:46)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:50)
	at com.comergent.dcm.core.filters.EntryFilter.executeFilter(EntryFilter.java:51)
	at com.comergent.dcm.core.filters.ComergentFilter.doFilter(ComergentFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
	at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
	at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
	at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
	at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
	at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
	at java.lang.Thread.run(Thread.java:619)


Solution - Fix & Patch:
=======================
January 2011 - Quartal 1


Security Risk:
==============
The security risk of the vulnerabilities are estimated as low because of the client-side attack vector.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory