lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <57162B9A.6010304@rv3lab.org>
Date: Tue, 19 Apr 2016 14:59:06 +0200
From: "research@...lab.org" <research@...lab.org>
To: submissions@...ketstormsecurity.com, fulldisclosure@...lists.org, 
 pen-test@...urityfocus.com, bugs@...uritytracker.com, 
 bugtraq@...urityfocus.com, submit@...7day.com, submit@...ecurity.com, 
 full-disclosure@...ts.grok.org.uk
Subject: [FD] Multiple Reflected XSS vulnerabilities in Oliver (formerly
 Webshare) v1.3.1

###################################################

01. ### Advisory Information ###

Title: Multiple Reflected XSS vulnerabilities in Oliver (formerly 
Webshare) v1.3.1
Date published: 2016-15-04
Date of last update: 2014-03-04
Vendors contacted: Oliver (formerly Webshare) v1.3.1
Discovered by: Rv3Laboratory [Research Team]
Severity: Medium


02. ### Vulnerability Information ###

CVE reference: CVE-2014-2710
VU#279207
OVI-2016-7982
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Component/s: Oliver (formerly Webshare) v1.3.1
Class: Input Validation Error


03. ### Introduction ###

Oliver is a PHP-based front-end to FTP, released under the GPL.

http://oliver.sourceforge.net/
https://sourceforge.net/projects/oliver/


04. ### Vulnerability Description ###

Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been
identified in the Oliver (formerly Webshare) web application.
Oliver contains a flaw that allows multiple reflected cross-site
scripting (XSS) attacks.
This flaw exists because certain pages do not validate input before
returning it to users.


Vulnerable file(s):
index.php (login page)
loginform-inc.php (login form)

Request Method(s):
GET


05. ### Technical Description / Proof of Concept Code ###

The vulnerability is located in the pages

http://localhost/oliver/index.php
http://localhost/oliver/loginform-inc.php

The application does not validate correctly the URL upon submission.
The attacker can inject the malicious javascript code:

<isindex x="javascript:" onmouseover="alert('Rv3Lab XSS')">

http://localhost/oliver/index.php/<isindex x="javascript:" 
onmouseover="alert('Rv3Lab XSS')">
http://localhost/oliver/loginform-inc.php/<isindex x="javascript:" 
onmouseover="alert('Rv3Lab XSS')">


06. ### Business Impact ###

This may allow an attacker to create a specially crafted URL that
would execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.


07. ### Systems Affected ###

This vulnerability was tested against: Oliver (formerly Webshare) v1.3.0 
and v1.3.1
Older versions are probably affected too, but they were not checked.


08. ### Vendor Information, Solutions and Workarounds ###

Currently, there are no known upgrades or patches to correct this
vulnerability.
Oliver (formerly Webshare) No longer supported


09. ### Credits ###

Rv3Laboratory [Research Team] - www.Rv3Lab.org

This vulnerability has been discovered by:
Rv3Lab - [www.rv3lab.org] - research(at)rv3lab(dot)org
Christian Catalano aka wastasy - wastasy(at)rv3lab(dot)org
Massimo Piccinno aka MaxPic - maxpic(at)rv3lab(dot)org


10. ### Vulnerability History ###

April 03rd, 2013: Vulnerability identification
April 18th, 2013: No response received
April 15th, 2014: No response received - Oliver (formerly Webshare) No 
longer supported
April 15th, 2016: Public Security advisory released


11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
We accept no responsibility for any damage caused by the use or misuse of
this information.


12. ### About Rv3Lab ###

Rv3Lab is an independent Security Research Lab.
For more information, please visit [www.Rv3Lab.org]
For more information regarding the vulnerability feel free to contact the
Rv3Research Team: research(at)rv3lab(dot)org

###################################################

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists