Vigil@nce: Blackberry Enterprise Server, Cross Site Scripting
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a Cross Site Scripting in Mobile Data
Service Connection Service of Blackberry Enterprise Server.
Severity: 2/4
Consequences: client access/rights
Provenance: document
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 17/04/2009
IMPACTED PRODUCTS
– BlackBerry Enterprise Server
DESCRIPTION OF THE VULNERABILITY
The Mobile Data Service Connection Service manages exchanges
between mobiles and applications.
The /admin/statistics/ConfigureStatistics page is used to
personalize statistics. Fields in this page are not filtered
before being displayed.
An attacker can therefore generate a Cross Site Scripting in the
"Customize Statistics" page of MDS Connection Service.
CHARACTERISTICS
Identifiers: BID-34573, CVE-2009-0307, ERNW Security Advisory
01-2009, KB17953, KB17969, VIGILANCE-VUL-8650
http://vigilance.fr/vulnerability/Blackberry-Enterprise-Server-Cross-Site-Scripting-8650