lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0Ma9tP-1cxMJu1FGx-00Lkfq@mrelayeu.kundenserver.de>
Date: Thu, 16 Feb 2017 12:24:12 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Plone: XSS

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Plone 5.0.5
Fixed in:            Hotfix 20170117
Fixed Version Link:  https://plone.org/security/hotfix/20170117
Vendor Contact:      security@...ne.org
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 01/26/2017
Release mode:        Coordinated Release
CVE:                 CVE-2016-7147
Credits              Tim Coen of Curesec GmbH

2. Overview

Plone is an open source CMS written in python. In version 5.0.5, the Zope
Management Interface (ZMI) component is vulnerable to reflected XSS as it does
not properly encode double quotes.

3. Details

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: The search functionality of the management interface is vulnerable
to reflected XSS. As the input is echoed into an HMTL attribute, an attacker
can use double quotes to escape the current attribute and add new attributes to
enter a JavaScript context.

Proof of Concept:

http://0.0.0.0:9090//Plone/manage_findResult?obj_metatypes%3Alist=all&
obj_ids%3Atokens=%22+autofocus+onfocus%3dalert(1)%3E&obj_searchterm=&obj_mspec=
%3C&obj_mtime=&search_sub%3Aint=1&btn_submit=Find

4. Solution

To mitigate this issue please apply the hotfix 20170117.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Contacted Vendor, Vendor confirmed, Requested CVE
09/06/2016 CVE assigned
09/06/2016 Vendor requests 90 days to release fix
01/10/2017 Contacted Vendor Again, Vendor announces hotfix
01/17/2017 Vendor releases hotfix
01/26/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Plone-XSS-186.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ