Security Issue XSS Vulnerability Note

Web developers surely heard of acronym like HTML, CSS, JS, XML etc. But, what about XSS? It’s something a good boy never bother to know, until one day he’s been threaten so. As such we learned the details to defense ourselves, and all you need to do is to upgrade to the latest version to get the SCADA system protected.

Crossed site scripting illustration

Summary of Event
  • 13-Apr-2011: ICS CERT Contacted IntegraXor support team that a Security Researcher has discovered XSS vulnerarity in IntegraXor system.
  • 14-Apr-2011: 5 Exploit Codes for the vulnerability is received.
  • 18-Apr-2011: IntegraXor Support Team confirmed to US-CERT that only 1 out of 5 Exploit Codes is valid. Another 1 is due to database read level security configuration which was set to zero on demo project, hence has nothing to patch.
  • 22-Apr-2011: Thanks to US-CERT Malware Team who has confirmed our finding with a very professional analysis report, and they managed to twist one of the invalid exploit code to function. Hence made the total 2 out of 5 exploit codes valid.
  • 04-May-2011: IntegraXor Support Team announced to ICS-CERT and Security Researcher all confirmed vulnerabilities have been patched for any version after RC 3.60.4061.
  • 09-May-2011: Security fixed is issued as official release 3.60 Build 4080 for general download.
  • 24-May-2011: Security researcher confirmed the vulnerability issue has been fixed.
  • 27-May-2011: ICS CERT made public announcement.
  • 09-Jun-2011: Public announcement was made by IntegraXor.

Image Credits:

Scroll: DooFi

Barricades: Rfc1394