lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1522139239.110848.1714984002552@email.df.eu>
Date: Mon, 6 May 2024 10:26:42 +0200 (CEST)
From: Simon Bieber via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] secuvera-SA-2024-02: Multiple Persistent Cross-Site Scritping
 (XSS) flaws in Drupal-Wiki

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

secuvera-SA-2024-02: Multiple Persistent Cross-Site Scritping (XSS) flaws in Drupal-Wiki

Affected Products
   Drupal Wiki 8.31 
   Drupal Wiki 8.30 (older releases have not been tested)
   
References
   https://www.secuvera.de/advisories/secuvera-SA-2024-02.txt (used for updates)
   CVE-2024-34481 
   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
   CVSS-B: 6.4 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N )
   https://drupal-wiki.com/drupal-wiki-update-8-31/ (Vendor 1st Fix Release Notes)

Summary:
   According to the Product Website Drupal-Wiki is an enterprise grade Wiki platform.
   The comment function of a Drupal-Wiki-Page is prone to persistent Cross-Site Scritping 
   Attacks (persistent XSS).
   
Effect:
   A remote attacker that is allowed to edit a wiki page or comment to a wiki page is able to 
   execute arbitrary (javascript) code within a victims' browser after the victim has opened
   a wiki page with malicous comments or content. 

Example:
	1) XSS in comments to a Wiki Page
	The Following steps are needed to exploit the vulnerability on a Wiki-Page assuming
	that no login is needed to comment on a page.
		1. Go to an arbitrary Wiki-Page.
		2. Click on "submit comment" at the lower end of a Wiki Page
		3. Enter the following into the comment form overlay and click on 
        the "save" button:
		   "'><img src=x onError=alert('XSS!')>
	
	The above code creates a harmless JavaScript alert box whenever the Wiki-Page gets
	loaded.
	2) XSS in captions:
	Open a Wiki-Page, insert a caption with the payload from example 1) and save it.
	
	
	3) XSS in image titles
	Open a Wiki-Page, insert an image with the payload from example 1) as title and save it.
	
	
Solution
	Update to release 8.31.1 or newer.

Disclosure Timeline:
   2024/03/20 vulnerability discovered
   2024/03/21 vendor contacted to get security contact details
   2024/03/21 vendor replied with contact information
   2024/03/21 vulnerability details sent to security contact
   2024/03/21 vendor confirmed vulnerability, proposed fix in next release update
   2024/03/25 vendor release update containing fix. 
   2024/03/27 requested CVE-ID, reworked CVSS, tested fix. First fix not fully remediating
              all issues, contacted vendor again to inform about fix test results.
   2024/03/27 vendor replied confirming and proposed second fix with new update. 
              planned publication of the SA for 2024/04/14
   2024/04/14 postponed public release as assign request of cve was not answered yet.
   2024/05/06 CVE was assigned. Public release.

Credits:
   Simon Bieber
   sbieber@...uvera.de
   secuvera GmbH
   https://www.secuvera.de
   
Disclaimer:
    All information is provided without warranty. The intent is to
    provide information to secure infrastructure and/or systems, not
    to be able to attack or damage. Therefore secuvera shall
    not be liable for any direct or indirect damages that might be
    caused by using this information.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE6mgEBCu3JYBqmGrgDIJc8mYSY6UFAmY4k7YACgkQDIJc8mYS
Y6Xa1A//cTQ41Wp55MJwjE0t7ABw1RSmPskosPycpMxKgU79LH7xwGLpTaRxd1H9
BiNK/Q/4j5Ad4JtM4TDwb0j7XGj07/Cp+hBcomqKohe7hgVflhZOzUcWKvfQUbQt
1yto71AauEpTz32YebZMxrFJLUXtnJU9pPQnAB5iZOyDT5rsXvEBmCnG6OF1kviy
juXiiR15rZEiiWdW+CaAz3qr07Te0WD1i14IPvE55tuKNwp9LOZr9+Fl3CM2atxs
/LSjgZnTIWODnpnuAD3D2XT5XIj1AK5cEGgg+si4UuYFK/v0nTP4Pytlw2HbS0au
WvAqtiI8YwuhQOYvsXoQ5UYHjZzc2BrQ5mn2MujHb17/eMyG2o3bgPnZ9x+PxDSi
Z++4iRnwolip0ha2E0bIwq8dVyHYcCPfwkrAk3vSmvLmzEivz+OyXPPWwB6EVq8q
3/DRa9fcVO985bxOeBHImyqgPLm8je70Z51GBezCPlHltYXZ8AHpBzqc7Jp0DgUB
UYlQ3y3a62E5oQ8Uo0S7YFkM7ZYhFaxBeVZs4gC1QOo2FNyQjVvD11digf9M+uSR
aH3SwpHhYSIremKeWG9xDGCjN2fiSuEJHdhwAzWUHFa1b7PArB3Ypq3ILKgJyIwx
1S/LYqnuiCC00tp48b8AzMUdYqyeXIfhvOiYMEzzBIq2Ft+IW9U=
=hWhw
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ