You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@manifoldcf.apache.org by "roel goovaerts (JIRA)" <ji...@apache.org> on 2019/03/28 09:45:00 UTC
[jira] [Updated] (CONNECTORS-1597) reflected cross-site scripting
vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
roel goovaerts updated CONNECTORS-1597:
---------------------------------------
Description:
This is the full report of a penetration test, performed at a client where we deployed a system which uses manifold:
*Summary*
A reflected cross-site scripting vulnerability was discovered in the application.
Reflected cross-site scripting occurs when a web application displays data submitted by the user that
contains HTML markup and scripting code without properly escaping it. An attacker will create a link to the
vulnerable page that will display JavaScript code crated by the attacker. The attacker will then trick an
authenticated application user into clicking or following this crated link. When the user's browser parses the
generated page, it will execute the code crafted by the attacker. If the user was logged in to the application
when he followed the link, the attacker's code could perform any action in the application that the user can
perform.
*Impact*
Reflected cross-site scripting can be used by attackers to compromise the session of an authenticated user.
By persuading the victim to click on a specially crafted link, the attacker can execute his own JavaScript
payload in the browser context of the victim. In this specific case, an attacker could hijack its victim's session
given that the session token is not flagged as HttpOnly as demonstrated in [G190204T1F4][MANIFOLD]
Insecure Cookie Configuration.
Additional attacks exist where an attacker can deceive end users of the application by redirecting them to
replica sites or trick them into downloading trojans or other malware. The attacker can also use a so called
browser exploitation framework. In this scenario the attacker injects JavaScript code that communicates to
the attack framework running on the attacker's computer. When the victim user executes the JavaScript code
the attacker can control the victim's browser. Publicly available frameworks exist (BeEF -
[http://www.bindshell.net/tools/beef], Backframe -[http://www.gnucitizen.org/projects/backframe/], XSS Proxy -
[http://xss-proxy.sourceforge.net/]).
*Affected Systems*
* [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] [name of an arbitrarily supplied URL parameter]
*Description*
A case where the application includes user input into the generated HTML pages without properly escaping
the user supplied data was discovered in the application. The HTTP requests and responses shown below
demonstrate the problem.
{code:java}
GET /mcf-crawler-ui/?smafi"><script>alert(1)</script>non7x=1 HTTP/1.1
Host: els-manifold-uat.bc:8475
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18
{code}
{code:java}
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Mon, 18 Feb 2019 13:07:02 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 2576
Connection: close
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
max-age: Thu, 01 Jan 1970 00:00:00 GMT
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta content='width=device-width, initial-scale=1, maximum-scale=1, userscalable=
no' name='viewport'>
<link href="css/font-awesome.min.css" rel="stylesheet" type="text/css"/>
<link href="bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
<link rel="StyleSheet" href="css/style.css" type="text/css" media="screen"/>
<title>Apache ManifoldCF⢠Login</title>
<script type="text/javascript">
<!--
function login()
{
document.loginform.submit();
}
document.onkeypress = loginKeyPress;
function loginKeyPress(e)
{
e = e || window.event;
if (e.keyCode == 13)
{
document.getElementById('buttonLogin').click();
return false;
}
return true;
}
//-->
</script>
</head>
<body class="login-page">
<div class="login-box">
<div class="login-logo">
<a href="/"><img src="ManifoldCF-logo.png"/></a>
</div>
<!-- /.login-logo -->
<div class="login-box-body">
<p class="login-box-msg">Sign in to start your session</p>
<form class="standardform" name="loginform" action="setupAdminProfile.jsp"
method="POST">
<input type="hidden" name="nextUrl" value="index.jsp?
smafi"><script>alert(1)</script>non7x=1">
<div class="form-group has-feedback">
--snip--
{code}
*Recommendations*
We recommend that the application enforces proper validation on user input. In most situations where usercontrollable
data is copied into application responses, cross-site scripting attacks can be prevented using two
layers of defenses:
* Input should be validated as strictly as possible on arrival, given the kind of content which it is
expected to contain. For example, personal names should consist of alphabetical and a small range
of typographical characters, and be relatively short; a year of birth should consist of exactly four
numerals; email addresses should match a well-defined regular expression. Input which fails the
validation should be rejected, not sanitized.
* User input should be HTML-encoded at any point where it is copied into application responses. All
HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML
entities (< > etc).
*References*
* OWASP – Cross-site scripting - [https://www.owasp.org/index.php/Cross-site_Scripting_(XSS])
was:As a result from a pen test, a reflected cross-site scripting vulnerability was discovered
> reflected cross-site scripting vulnerability
> --------------------------------------------
>
> Key: CONNECTORS-1597
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1597
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 2.12
> Reporter: roel goovaerts
> Priority: Minor
>
> This is the full report of a penetration test, performed at a client where we deployed a system which uses manifold:
> *Summary*
> A reflected cross-site scripting vulnerability was discovered in the application.
> Reflected cross-site scripting occurs when a web application displays data submitted by the user that
> contains HTML markup and scripting code without properly escaping it. An attacker will create a link to the
> vulnerable page that will display JavaScript code crated by the attacker. The attacker will then trick an
> authenticated application user into clicking or following this crated link. When the user's browser parses the
> generated page, it will execute the code crafted by the attacker. If the user was logged in to the application
> when he followed the link, the attacker's code could perform any action in the application that the user can
> perform.
> *Impact*
> Reflected cross-site scripting can be used by attackers to compromise the session of an authenticated user.
> By persuading the victim to click on a specially crafted link, the attacker can execute his own JavaScript
> payload in the browser context of the victim. In this specific case, an attacker could hijack its victim's session
> given that the session token is not flagged as HttpOnly as demonstrated in [G190204T1F4][MANIFOLD]
> Insecure Cookie Configuration.
> Additional attacks exist where an attacker can deceive end users of the application by redirecting them to
> replica sites or trick them into downloading trojans or other malware. The attacker can also use a so called
> browser exploitation framework. In this scenario the attacker injects JavaScript code that communicates to
> the attack framework running on the attacker's computer. When the victim user executes the JavaScript code
> the attacker can control the victim's browser. Publicly available frameworks exist (BeEF -
> [http://www.bindshell.net/tools/beef], Backframe -[http://www.gnucitizen.org/projects/backframe/], XSS Proxy -
> [http://xss-proxy.sourceforge.net/]).
> *Affected Systems*
> * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] [name of an arbitrarily supplied URL parameter]
> *Description*
> A case where the application includes user input into the generated HTML pages without properly escaping
> the user supplied data was discovered in the application. The HTTP requests and responses shown below
> demonstrate the problem.
> {code:java}
> GET /mcf-crawler-ui/?smafi"><script>alert(1)</script>non7x=1 HTTP/1.1
> Host: els-manifold-uat.bc:8475
> Accept-Encoding: gzip, deflate
> Accept: */*
> Accept-Language: en
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
> Connection: close
> Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18
> {code}
> {code:java}
> HTTP/1.1 200 OK
> Server: nginx/1.12.2
> Date: Mon, 18 Feb 2019 13:07:02 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 2576
> Connection: close
> Pragma: No-cache
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Cache-Control: no-cache
> max-age: Thu, 01 Jan 1970 00:00:00 GMT
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE html>
> <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
> <html xmlns="http://www.w3.org/1999/xhtml">
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
> <meta content='width=device-width, initial-scale=1, maximum-scale=1, userscalable=
> no' name='viewport'>
> <link href="css/font-awesome.min.css" rel="stylesheet" type="text/css"/>
> <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
> <link rel="StyleSheet" href="css/style.css" type="text/css" media="screen"/>
> <title>Apache ManifoldCF⢠Login</title>
> <script type="text/javascript">
> <!--
> function login()
> {
> document.loginform.submit();
> }
> document.onkeypress = loginKeyPress;
> function loginKeyPress(e)
> {
> e = e || window.event;
> if (e.keyCode == 13)
> {
> document.getElementById('buttonLogin').click();
> return false;
> }
> return true;
> }
> //-->
> </script>
> </head>
> <body class="login-page">
> <div class="login-box">
> <div class="login-logo">
> <a href="/"><img src="ManifoldCF-logo.png"/></a>
> </div>
> <!-- /.login-logo -->
> <div class="login-box-body">
> <p class="login-box-msg">Sign in to start your session</p>
> <form class="standardform" name="loginform" action="setupAdminProfile.jsp"
> method="POST">
> <input type="hidden" name="nextUrl" value="index.jsp?
> smafi"><script>alert(1)</script>non7x=1">
> <div class="form-group has-feedback">
> --snip--
> {code}
> *Recommendations*
> We recommend that the application enforces proper validation on user input. In most situations where usercontrollable
> data is copied into application responses, cross-site scripting attacks can be prevented using two
> layers of defenses:
> * Input should be validated as strictly as possible on arrival, given the kind of content which it is
> expected to contain. For example, personal names should consist of alphabetical and a small range
> of typographical characters, and be relatively short; a year of birth should consist of exactly four
> numerals; email addresses should match a well-defined regular expression. Input which fails the
> validation should be rejected, not sanitized.
> * User input should be HTML-encoded at any point where it is copied into application responses. All
> HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML
> entities (< > etc).
> *References*
> * OWASP – Cross-site scripting - [https://www.owasp.org/index.php/Cross-site_Scripting_(XSS])
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)