TECHNICAL BULLETIN

T-142: Basic Analysis and Security Engine Cross-Site Scripting Vulnerability

May 26, 2009 13:00 GMT


PROBLEM:	Basic Analysis And Security Engine (BASE) does not properly validate input and is vulnerable to XSS and HTML injection.
PLATFORM:	BASE 1.4.2
ABSTRACT:	Basic Analysis And Security Engine (BASE) is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-142.shtml
OTHER LINKS:	Sploit Website http://spl0it.org/blog/index.php?entry=entry090522-185228 BASE Patches Website http://secureideas.sourceforge.net/


Discussion:
Attackers can use a browser to exploit these issues. To exploit a cross-site scripting vulnerability, an attacker must
entice an unsuspecting user to follow a malicious URI.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker
to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are
also possible.

Vulnerable:
BASE 1.4.2 is vulnerable; other versions may be affected as well.

Solution:
Currently we are not aware of any vendor-supplied patches. It is recommended that persons with access to BASE instances
exercise heightened caution when working with suspicious links until a patch is made available.

DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788

IMPACT ASSESSMENT

The risk is medium. This is a common and popular security tool possibly used by many organizations.