| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jan 2013 15:48:28 +0100 From: Stephan Rickauer <stephan.rickauer@...c.ch> To: full-disclosure@...ts.grok.org.uk Subject: CVE-2013-0805 ############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # CVE ID : CVE-2013-0805 # CSNC ID: CSNC-2013-001 # Product: iTop # Vendor: Combodo # Subject: Cross-site Scripting - XSS # Risk: High # Effect: Remotely exploitable # Author: Stephan Rickauer (stephan.rickauer _at_ csnc.ch) # Date: January 23rd 2013 # ############################################################# Introduction: ------------- Compass Security discovered a security flaw in the iTop web application. Vulnerable: ----------- All iTop versions older than: * trunk revision 2589 * branches/1.2.1, revision 2587 * branches/1.2, revision 2588 * branches/2.0, revision 2590 Not vulnerable: --------------- unknown Patches: -------- Patches have been commited to the SourceForge Trac by the vendor with respect to all affected versions. Modified files: pages/UI.php and pages/run_query.php Fix: ---- Thoroughly encode all user input properly on output. Description: ------------ The iTop search feature displays the term entered by the user. However, that very output of the user's input happens mostly un-encoded. The implemented mitigation step of only encoding < as part of a script tag is inadequate and can be easily bypassed. Exploiting this vulnerability will lead to so-called cross-site scripting (XSS) and allows the impersonation of logged-in iTop users. Milestones: ----------- January 4th, Vulnerability discovered January 4th, Vendor contact established January 7th, Vendor provided with technical details January 7th, Vendor acknowledged issue (support _at_ combodo.com) January 15th, CVE assigned and vendor notified January 23rd, Patch committed in all main branches of the iTop project by vendor January 23rd, Public release of advisory References: ----------- XSS reference: http://en.wikipedia.org/wiki/Cross-site_scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued. iTop reference: http://www.combodo.com/iTop-a-new-generation-of-IT.html Provided evidence: - Two screenshots - XSS attack code - copy of html page showing unencoded output _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists