lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 22 Feb 2010 11:02:50 +1300
From: CodeScan Labs Advisories <advisories@...escan.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: jQuery Validate 1.6.0 Demo Code Advisory

+----------------------------------------------+
   ADVISORY – jQuery Validate 1.6.0 Demo Code  
                                               
   AFFECTED PACKAGES                           
       > jQuery Validate 1.6.0                 
       > SilverStripe 2.3.X to 2.3.5           
                                               
   Discovered By CodeScan.com                  
+----------------------------------------------+

Vendor's Website:  
http://bassistance.de/jquery-plugins/jquery-plugin-validation/


CodeScan Labs (www.codescan.com), has recently 
released a new source code scanning tool, 
CodeScan. CodeScan is an advanced auditing tool 
designed to check web application source code 
for security vulnerabilities. CodeScan utilises 
an intelligent source code parsing engine, 
traversing execution paths and tracking the flow
of user supplied input.

During the ongoing testing of CodeScan PHP, the 
jQuery.Validate demonstration code was discovered
within another project.  




<<<   CROSS SITE SCRIPTING THROUGH ECHO   >>>

XSS in [form.php], folder [demo].  
(Full Path:  


$user = $_REQUEST['user'];
$pw = $_REQUEST['password'];
if($user && $pw && $pw == "foobar")
    echo "Hi $user, welcome back."


<<<   PROOF OF CONCEPT   >>>

http://[host]/validate/demo/form.php?user=%3Cscript%3Ealert%28%27Proof%20of%20Concept%27%29;%3C/script%3E&password=foobar


<<<   YES, WE REALISE THIS IS DEMO CODE   >>>

A simple Google search unearthed a number of 
results for the existence of this plugin/demo
within SVN repositories, as well as on live web
servers.  Demo or not, it has been included in
distributions (Such as SilverStripe) – and has
been deployed in live environments.


<<<   RESPONSIBLE DISCLOSURE   >>>

We have attempted to make contact with the 
author of this plugin, to no avail.

We successfully made contact with the 
SilverStripe team who promptly tidied up.
Quick response, well done.  

<<<   EXPLICIT RECCOMENDATIONS   >>>

SilverStripe Users:  Upgrade to the latest
version of SilverStripe (2.3.6 at time of
writing), and ensure the file is deleted.

Other Users:  Chances are you do not need
this file in your project, so delete the
[form.php] file.  Otherwise, ensure proper
Sanitization.

 
<<<   CLOSING NOTES   >>>

You may be able to write secure code, but the
code you get from third parties can put you at
risk.  Always review the code of third parties
(including/especially plug ins) – not doing so
puts you at unnecessary risk.

-- 
This message has been scanned for viruses and
dangerous content by Bizo EmailFilter, and is
believed to be clean.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ