You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@manifoldcf.apache.org by "Karl Wright (Jira)" <ji...@apache.org> on 2020/02/03 10:08:00 UTC
[jira] [Resolved] (CONNECTORS-1597) reflected cross-site scripting vulnerability

     [ https://issues.apache.org/jira/browse/CONNECTORS-1597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Karl Wright resolved CONNECTORS-1597.
-------------------------------------
    Fix Version/s: ManifoldCF 2.13
       Resolution: Fixed

> reflected cross-site scripting vulnerability
> --------------------------------------------
>
>                 Key: CONNECTORS-1597
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1597
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: API
>    Affects Versions: ManifoldCF 2.12
>            Reporter: roel goovaerts
>            Assignee: Kishore Kumar
>            Priority: Minor
>             Fix For: ManifoldCF 2.13
>
>
> This is the full report of a penetration test, performed at a client where we deployed a system which uses manifold:
> *Summary*
> A reflected cross-site scripting vulnerability was discovered in the application.
> Reflected cross-site scripting occurs when a web application displays data submitted by the user that
> contains HTML markup and scripting code without properly escaping it. An attacker will create a link to the
> vulnerable page that will display JavaScript code crated by the attacker. The attacker will then trick an
> authenticated application user into clicking or following this crated link. When the user's browser parses the
> generated page, it will execute the code crafted by the attacker. If the user was logged in to the application
> when he followed the link, the attacker's code could perform any action in the application that the user can
> perform.
> *Impact*
> Reflected cross-site scripting can be used by attackers to compromise the session of an authenticated user.
> By persuading the victim to click on a specially crafted link, the attacker can execute his own JavaScript
> payload in the browser context of the victim. In this specific case, an attacker could hijack its victim's session
> given that the session token is not flagged as HttpOnly as demonstrated in [G190204T1F4][MANIFOLD]
> Insecure Cookie Configuration.
> Additional attacks exist where an attacker can deceive end users of the application by redirecting them to
> replica sites or trick them into downloading trojans or other malware. The attacker can also use a so called
> browser exploitation framework. In this scenario the attacker injects JavaScript code that communicates to
> the attack framework running on the attacker's computer. When the victim user executes the JavaScript code
> the attacker can control the victim's browser. Publicly available frameworks exist (BeEF -
> [http://www.bindshell.net/tools/beef], Backframe -[http://www.gnucitizen.org/projects/backframe/], XSS Proxy -
> [http://xss-proxy.sourceforge.net/]).
> *Affected Systems*
>  * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] [name of an arbitrarily supplied URL parameter]
> *Description*
> A case where the application includes user input into the generated HTML pages without properly escaping
> the user supplied data was discovered in the application. The HTTP requests and responses shown below
> demonstrate the problem.
> {code:java}
> GET /mcf-crawler-ui/?smafi"><script>alert(1)</script>non7x=1 HTTP/1.1
> Host: els-manifold-uat.bc:8475
> Accept-Encoding: gzip, deflate
> Accept: */*
> Accept-Language: en
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
> Connection: close
> Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18
> {code}
> {code:java}
> HTTP/1.1 200 OK
> Server: nginx/1.12.2
> Date: Mon, 18 Feb 2019 13:07:02 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 2576
> Connection: close
> Pragma: No-cache
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Cache-Control: no-cache
> max-age: Thu, 01 Jan 1970 00:00:00 GMT
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE html>
> <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
> <html xmlns="http://www.w3.org/1999/xhtml">
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
> <meta content='width=device-width, initial-scale=1, maximum-scale=1, userscalable=
> no' name='viewport'>
> <link href="css/font-awesome.min.css" rel="stylesheet" type="text/css"/>
> <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
> <link rel="StyleSheet" href="css/style.css" type="text/css" media="screen"/>
> <title>Apache ManifoldCFâ¢ Login</title>
> <script type="text/javascript">
> <!--
> function login()
> {
> document.loginform.submit();
> }
> document.onkeypress = loginKeyPress;
> function loginKeyPress(e)
> {
> e = e || window.event;
> if (e.keyCode == 13)
> {
> document.getElementById('buttonLogin').click();
> return false;
> }
> return true;
> }
> //-->
> </script>
> </head>
> <body class="login-page">
> <div class="login-box">
> <div class="login-logo">
> <a href="/"><img src="ManifoldCF-logo.png"/></a>
> </div>
> <!-- /.login-logo -->
> <div class="login-box-body">
> <p class="login-box-msg">Sign in to start your session</p>
> <form class="standardform" name="loginform" action="setupAdminProfile.jsp"
> method="POST">
> <input type="hidden" name="nextUrl" value="index.jsp?
> smafi"><script>alert(1)</script>non7x=1">
> <div class="form-group has-feedback">
> --snip--
> {code}
> *Recommendations*
> We recommend that the application enforces proper validation on user input. In most situations where usercontrollable
> data is copied into application responses, cross-site scripting attacks can be prevented using two
> layers of defenses:
>  * Input should be validated as strictly as possible on arrival, given the kind of content which it is
> expected to contain. For example, personal names should consist of alphabetical and a small range
> of typographical characters, and be relatively short; a year of birth should consist of exactly four
> numerals; email addresses should match a well-defined regular expression. Input which fails the
> validation should be rejected, not sanitized.
>  * User input should be HTML-encoded at any point where it is copied into application responses. All
> HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML
> entities (< > etc).
> *References*
>  * OWASP – Cross-site scripting - [https://www.owasp.org/index.php/Cross-site_Scripting_(XSS])



--
This message was sent by Atlassian Jira
(v8.3.4#803005)