TITLE:
TeamSpeak Server Privilege Escalation and Cross-Site Scripting

SECUNIA ADVISORY ID:
SA25242

VERIFY ADVISORY:
http://secunia.com/advisories/25242/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting, Privilege escalation

WHERE:
From remote

SOFTWARE:
TeamSpeak 2.x
http://secunia.com/product/5832/

DESCRIPTION:
Gilberto Ficara has reported a security issue and some vulnerabilities
in TeamSpeak, which can be exploited by malicious users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks.

1) The problem is that it is possible for a Server Admin to grant
certain privileges like “AccessWebAdminServer”, “AdminAddServer”,
“AdminDeleteServer”, “AdminStartServer”, and “AdminStopServer” to
registered users. This can be exploited to create, start, stop, or
delete servers by creating a user and accessing certain administrative
pages as this user directly.

Successful exploitation requires Server Admin access to the application.

2) Input passed to the “error_title” and “error_text” parameters in
error_box.html and to the “ok_title” parameter in ok_box.html is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user’s browser
session in context of an affected site.

Successful exploitation requires that the user is currently logged in.

The vulnerabilities are confirmed in version 2.0.20.1. Other versions
may also be affected.

SOLUTION:
The vulnerabilities have reportedly been fixed in version 2.0.23.15
BETA.

Filter malicious characters and character sequences in a web proxy.
Grant only trusted users Super Admin privileges.

PROVIDED AND/OR DISCOVERED BY:
Gilberto Ficara

ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/062935.html