[
https://issues.apache.org/jira/browse/CONNECTORS-1597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028833#comment-17028833
]
Karl Wright commented on CONNECTORS-1597:
-----------------------------------------
Final analysis of this ticket is that, since ManifoldCF's UI does not have
different classes of users, and since we've already dealt with any problems
with the login page, escalation of privileges is not a valid attack vector
against the ManifoldCF UI.
> reflected cross-site scripting vulnerability
> --------------------------------------------
>
> Key: CONNECTORS-1597
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1597
> Project: ManifoldCF
> Issue Type: Improvement
> Components: API
> Affects Versions: ManifoldCF 2.12
> Reporter: roel goovaerts
> Assignee: Kishore Kumar
> Priority: Minor
>
> This is the full report of a penetration test, performed at a client where we
> deployed a system which uses manifold:
> *Summary*
> A reflected cross-site scripting vulnerability was discovered in the
> application.
> Reflected cross-site scripting occurs when a web application displays data
> submitted by the user that
> contains HTML markup and scripting code without properly escaping it. An
> attacker will create a link to the
> vulnerable page that will display JavaScript code crated by the attacker. The
> attacker will then trick an
> authenticated application user into clicking or following this crated link.
> When the user's browser parses the
> generated page, it will execute the code crafted by the attacker. If the user
> was logged in to the application
> when he followed the link, the attacker's code could perform any action in
> the application that the user can
> perform.
> *Impact*
> Reflected cross-site scripting can be used by attackers to compromise the
> session of an authenticated user.
> By persuading the victim to click on a specially crafted link, the attacker
> can execute his own JavaScript
> payload in the browser context of the victim. In this specific case, an
> attacker could hijack its victim's session
> given that the session token is not flagged as HttpOnly as demonstrated in
> [G190204T1F4][MANIFOLD]
> Insecure Cookie Configuration.
> Additional attacks exist where an attacker can deceive end users of the
> application by redirecting them to
> replica sites or trick them into downloading trojans or other malware. The
> attacker can also use a so called
> browser exploitation framework. In this scenario the attacker injects
> JavaScript code that communicates to
> the attack framework running on the attacker's computer. When the victim user
> executes the JavaScript code
> the attacker can control the victim's browser. Publicly available frameworks
> exist (BeEF -
> [http://www.bindshell.net/tools/beef], Backframe
> -[http://www.gnucitizen.org/projects/backframe/], XSS Proxy -
> [http://xss-proxy.sourceforge.net/]).
> *Affected Systems*
> * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] [name of an arbitrarily
> supplied URL parameter]
> *Description*
> A case where the application includes user input into the generated HTML
> pages without properly escaping
> the user supplied data was discovered in the application. The HTTP requests
> and responses shown below
> demonstrate the problem.
> {code:java}
> GET /mcf-crawler-ui/?smafi"><script>alert(1)</script>non7x=1 HTTP/1.1
> Host: els-manifold-uat.bc:8475
> Accept-Encoding: gzip, deflate
> Accept: */*
> Accept-Language: en
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
> Trident/5.0)
> Connection: close
> Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18
> {code}
> {code:java}
> HTTP/1.1 200 OK
> Server: nginx/1.12.2
> Date: Mon, 18 Feb 2019 13:07:02 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 2576
> Connection: close
> Pragma: No-cache
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Cache-Control: no-cache
> max-age: Thu, 01 Jan 1970 00:00:00 GMT
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE html>
> <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
> <html xmlns="http://www.w3.org/1999/xhtml";>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
> <meta content='width=device-width, initial-scale=1, maximum-scale=1,
> userscalable=
> no' name='viewport'>
> <link href="css/font-awesome.min.css" rel="stylesheet" type="text/css"/>
> <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet"
> type="text/css"/>
> <link rel="StyleSheet" href="css/style.css" type="text/css" media="screen"/>
> <title>Apache ManifoldCF⢠Login</title>
> <script type="text/javascript">
> <!--
> function login()
> {
> document.loginform.submit();
> }
> document.onkeypress = loginKeyPress;
> function loginKeyPress(e)
> {
> e = e || window.event;
> if (e.keyCode == 13)
> {
> document.getElementById('buttonLogin').click();
> return false;
> }
> return true;
> }
> //-->
> </script>
> </head>
> <body class="login-page">
> <div class="login-box">
> <div class="login-logo">
> <a href="/"><img src="ManifoldCF-logo.png"/></a>
> </div>
> <!-- /.login-logo -->
> <div class="login-box-body">
> <p class="login-box-msg">Sign in to start your session</p>
> <form class="standardform" name="loginform" action="setupAdminProfile.jsp"
> method="POST">
> <input type="hidden" name="nextUrl" value="index.jsp?
> smafi"><script>alert(1)</script>non7x=1">
> <div class="form-group has-feedback">
> --snip--
> {code}
> *Recommendations*
> We recommend that the application enforces proper validation on user input.
> In most situations where usercontrollable
> data is copied into application responses, cross-site scripting attacks can
> be prevented using two
> layers of defenses:
> * Input should be validated as strictly as possible on arrival, given the
> kind of content which it is
> expected to contain. For example, personal names should consist of
> alphabetical and a small range
> of typographical characters, and be relatively short; a year of birth should
> consist of exactly four
> numerals; email addresses should match a well-defined regular expression.
> Input which fails the
> validation should be rejected, not sanitized.
> * User input should be HTML-encoded at any point where it is copied into
> application responses. All
> HTML metacharacters, including < > " ' and =, should be replaced with the
> corresponding HTML
> entities (< > etc).
> *References*
> * OWASP – Cross-site scripting -
> [https://www.owasp.org/index.php/Cross-site_Scripting_(XSS])
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
