============================================================================
Foofus.net Security Advisory: foofus-20100523
============================================================================
Title:		BMC Service Desk Express XSS/XSRF
Version:	1.0
Vendor:		BMC Software
Release Date:	23.05.2010
Issue Status:	Reported To Vendor / Patch Issued
============================================================================

1. Summary

BMC's Service Desk Express software, is a popular tool for managing IT
actions and assets. A cross-site scripting vulnerability was discovered
within tested versions of this software. Additionally, this issue can be
used to perform cross-site request forgery attacks.


2. Description

A cross-site scripting vulnerability exists in prelogin.asp. the issue stems
from the fact that an adversary can control the output of the Authentication
Error message. This is accomplished by setting the preLoginErrors variable
to "errorsoccurred" and injecting code using the Error variable.


3. Proof of Concept

The following URL will inject an iframe into the prelogin.asp authentication
page.

http://helpdesk/helpdesk/PreLogin.asp?preLoginErrors=errorsoccured&Error=%3Ciframe%20src=http://adversary.bad/foo.php%3E%3C/iframe%3E


4. Impact

Exploiting this attack allows an adversary to inject any type of web-based
content into the authentication screen to execute client-side attacks or
perform social engineering attacks. Often, this software is installed and
exposed to the public internet.


5. Affected Products

All tested versions of BMC's Service Desk Express


6. Solution

The vendor has been notified and a patch has been released to solve this
issue.