lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <559A5C4A.4090208@gmail.com>
Date: Mon, 06 Jul 2015 13:45:30 +0300
From: Paris Zoumpouloglou <pariszoump@...il.com>
To: fulldisclosure@...lists.org
Cc: cve-assign@...re.org
Subject: [FD] Orchard CMS - Persistent XSS vulnerability

-----------------
Background
-----------------

Orchard is a free, open source, community-focused content management
system written in ASP.NET platform using the ASP.NET MVC framework. Its
vision is to create shared components for building ASP.NET applications
and extensions, and specific applications that leverage these components
to meet the needs of end-users, scripters, and developers.

------------------------
Software Version
------------------------

The version of Orchard affected by this issue are 1.7.3, 1.8.2 and
1.9.0. Version below 1.7.3 are not affected

---------------
Description
---------------

A persistent XSS vulnerability was discovered in the Users module that
is distributed with the core distribution of the CMS. The issue
potentially allows elevation of privileges by tricking an administrator
to execute some custom crafted script on his behalf. The issue affects
the Username field, since a user is allowed to register a username
containing potentially dangerous characters.

More information can be found here
http://docs.orchardproject.net/Documentation/Patch-20150630

----------------------
Proof of Concept
----------------------

1. Attacker registers a new user account with username e.x
<script>alert("XSS")</script>
2. The administrator attempts to delete the account using the Users core
module.
3. Once the administrator clicks on the "delete" action, the XSS payload
is executed.

-------------
Mitigation
-------------

See http://docs.orchardproject.net/Documentation/Patch-20150630

-----------
Timeline
-----------

2015-06-10 Vulnerability reported to Orchard CMS development team
2015-06-12 Response and issue verification
2015-06-30 Update and patch release
2015-07-06 Public Disclosure

---------
Credits
---------

Reported by Paris Zoumpouloglou of Project Zero labs
(https://projectzero.gr)

-- 
Paris Zoumpouloglou
@pzmini0n

https://projectzero.gr


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ