lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFYQz10ascszwpVyrsS+yZyB9ve5VpW6orXtjFKTp_=tcz++xQ@mail.gmail.com>
Date: Mon, 24 Mar 2014 08:05:18 -0300
From: Daniel Marques <daniel@...alabs.net>
To: bugtraq@...urityfocus.com
Subject: CVE-2014-2570 - php-font-lib 0.3 www/make_subset.php Reflected Cross
 Site Scripting

==========================================================

php-font-lib - Subset maker (make_subset.php) Reflected Cross-site Scripting

Revision 1.0

==========================================================

Author: Daniel C. Marques (@0xc0da)

Release date: 2014-03-23

Reference: http://codalabs.net/cla-2014-001


Disclosure Timeline

===============

2014-03-19 - Developer notified.

2014-03-19 - Developer patch.

2014-03-20 - CVE-2014-2570 assigned.

2014-03-23 - Public disclosure.


Product Information

===============

Product: php-font-lib

Description: A library to read, parse, export and make subsets of
different types of font files.

Developer: Fabien Ménager

Website: https://github.com/PhenX/php-font-lib


Overview

=======

The Subset maker of the affected php-font-lib versions is vulnerable
to a Reflected Cross-site Scripting. This vulnerability might allow
remote unauthenticated attackers to inject arbitrary Javascript or
HTML via the 'name' parameter. This flaw exists because the contents
of 'name' are not sanitized before it is inserted in the web page.


Vulnerability Information

==================

Vulnerability: Reflected Cross-site Scripting

CVE Identifier: CVE-2014-2570

CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CWE Identifier: CWE-79 - Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting')

Affected releases: 0.3


Vulnerability details

==============

The make_subset.php script in the 'www' directory does not sanitize
the contents of the 'name' parameter before echoing it to the user.
The vulnerable piece of code is shown below:


<h1><?php echo $name ?></h1>


This vulnerability can be used to inject Javascript code to be
rendered by the browser. An attacker must trick the user to access a
crafted URL (using social engineering, e.g.) for a successful attack.


Proof-of-Concept

=============

http://www.example.com/php-font-lib/www/make_subset.php?fontfile=../fonts/Norasi.ttf&name=<script>alert('XSS')</script>


Solution

======

The developer informed that version 0.3.1 fixes the issue.


Credits

======

Vulnerability identified and reported by Daniel C. Marques (@0xc0da).



References

=========

[1] https://github.com/PhenX/php-font-lib

[2] https://cwe.mitre.org/data/definitions/79.html

[3] http://codalabs.net/cla-2014-001

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ