[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADz_VDFdi3u3MYR8MHWX9zH2MXW1_VQgq2uJdZnB9XQeYg9W8w@mail.gmail.com>
Date: Wed, 23 Nov 2011 23:12:53 +0000
From: Darren McDonald <athena@...donald.net>
To: full-disclosure@...ts.grok.org.uk
Subject: One Click Orgs 1.4.1 Multiple Vulnerabilities
One Click Orgs, Multiple Vulnerabilities
===============
Document Details
===============
Version 1.0, 2011-11-19
===============
Background
===============
“One Click Orgs allows users to set up a simple, effect legal
structure and voting system which can help groups open a bank account,
hold property, and keep the whole team involved in day to day
decisions.” [1]
After I posted a message on London Hackspace offering a security
assessment for a community project, One Click Orgs responded and set
up a instance of their software to allow me to test it. This was back
in August 2011. OneClickOrgs has now corrected these issues, and they
have updated their production instance at www.oneclickorgs.com.
===============
Versions
===============
Version 1.2.1 was tested, users should upgrade to version 1.2.3 to
correct the listed vulnerabilities.
===============
Finding 1 – Stored Cross Site Scripting
===============
Instance 1
The application does not correctly encode the description field of a
new vote. JavaScript can then be executed on the voting and proposal
screens. The following string can be used as a proof of concept.
<img src=”xyz” onerror=”alert(1)” />
Instance 2
Similar to instance one, the description field in the eject member
proposal functionality is also vulnerable to stored cross site
scripting
===============
Finding 2 – Open URL Redirection
===============
Description
The application accepts any value in the ‘return_to’ field and
redirects the user using a 302 to the specified value. This could be
used to construct URLs which would contain a valid one click orgs
instance, yet redirect the user to another site.
PoC URL: http://testorg.oneclickorgs.com/votes/vote_for/8?return_to=http://dmcdonald.net
===============
Finding 3 – Email Address is Not Unique
===============
Description
One Click Orgs allows user to amend their email address to that of
another org member. If the user modifying their email address joined
the org before the target user, this can prevent the user from logging
in. This could also be used to masquerade as another user apparently
submitting votes and comments on behalf of another user. However,
votes cast would be tied to the userid of the attacking user and this
would not allow additional votes.
Instances
When a user modifies their email address
When a user is created through a proposed member vote or when they are
added as an initial founder.
===============
Finding 4 – 2nd Order SMTP Injection
===============
Description
One Click Orgs is vulnerable to SMTP Injection. This could be used to
send SPAM email messages or exploit any potential vulnerabilities in
the SMTP server.
Instance 1
Setting the org name to contain double quote marks and newlines allows
an attacker to escape the From descriptor when emails are sent to new
users.
Instance 2
Users can modify their email addresses to include double quotes which
causes similar issues.
===============
Minor Issues
===============
Description
One Click Orgs also corrected three other minor issues to improve the
security of the application. These issues were a further low risk
instance of URL redirection (only exploitable by the inital founding
member or an amazingly timed CSRF), autocomplete enabled on login
forms, and username discovery through differing login error message.
===============
References
===============
[1] One Click Orgs Website, http://www.oneclickorgs.com, Accessed 2011-11-19
===============
Links
===============
http://dmcdonald.net/?page_id=43 – The latest version of this advisory
http://www.oneclickorgs.com – The One Click Orgs Website
-----
Renski
aka Darren McDonald
http://dmcdonald.net
M6LUL
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists