[ https://issues.apache.org/jira/browse/CONNECTORS-1597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Wright resolved CONNECTORS-1597. ------------------------------------- Fix Version/s: ManifoldCF 2.13 Resolution: Fixed > reflected cross-site scripting vulnerability > -------------------------------------------- > > Key: CONNECTORS-1597 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1597 > Project: ManifoldCF > Issue Type: Improvement > Components: API > Affects Versions: ManifoldCF 2.12 > Reporter: roel goovaerts > Assignee: Kishore Kumar > Priority: Minor > Fix For: ManifoldCF 2.13 > > > This is the full report of a penetration test, performed at a client where we > deployed a system which uses manifold: > *Summary* > A reflected cross-site scripting vulnerability was discovered in the > application. > Reflected cross-site scripting occurs when a web application displays data > submitted by the user that > contains HTML markup and scripting code without properly escaping it. An > attacker will create a link to the > vulnerable page that will display JavaScript code crated by the attacker. The > attacker will then trick an > authenticated application user into clicking or following this crated link. > When the user's browser parses the > generated page, it will execute the code crafted by the attacker. If the user > was logged in to the application > when he followed the link, the attacker's code could perform any action in > the application that the user can > perform. > *Impact* > Reflected cross-site scripting can be used by attackers to compromise the > session of an authenticated user. > By persuading the victim to click on a specially crafted link, the attacker > can execute his own JavaScript > payload in the browser context of the victim. In this specific case, an > attacker could hijack its victim's session > given that the session token is not flagged as HttpOnly as demonstrated in > [G190204T1F4][MANIFOLD] > Insecure Cookie Configuration. > Additional attacks exist where an attacker can deceive end users of the > application by redirecting them to > replica sites or trick them into downloading trojans or other malware. The > attacker can also use a so called > browser exploitation framework. In this scenario the attacker injects > JavaScript code that communicates to > the attack framework running on the attacker's computer. When the victim user > executes the JavaScript code > the attacker can control the victim's browser. Publicly available frameworks > exist (BeEF - > [http://www.bindshell.net/tools/beef], Backframe > -[http://www.gnucitizen.org/projects/backframe/], XSS Proxy - > [http://xss-proxy.sourceforge.net/]). > *Affected Systems* > * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] [name of an arbitrarily > supplied URL parameter] > *Description* > A case where the application includes user input into the generated HTML > pages without properly escaping > the user supplied data was discovered in the application. The HTTP requests > and responses shown below > demonstrate the problem. > {code:java} > GET /mcf-crawler-ui/?smafi"><script>alert(1)</script>non7x=1 HTTP/1.1 > Host: els-manifold-uat.bc:8475 > Accept-Encoding: gzip, deflate > Accept: */* > Accept-Language: en > User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; > Trident/5.0) > Connection: close > Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18 > {code} > {code:java} > HTTP/1.1 200 OK > Server: nginx/1.12.2 > Date: Mon, 18 Feb 2019 13:07:02 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 2576 > Connection: close > Pragma: No-cache > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Cache-Control: no-cache > max-age: Thu, 01 Jan 1970 00:00:00 GMT > <?xml version="1.0" encoding="utf-8"?> > <!DOCTYPE html> > <meta http-equiv="X-UA-Compatible" content="IE=edge"/> > <html xmlns="http://www.w3.org/1999/xhtml"> > <head> > <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> > <meta content='width=device-width, initial-scale=1, maximum-scale=1, > userscalable= > no' name='viewport'> > <link href="css/font-awesome.min.css" rel="stylesheet" type="text/css"/> > <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet" > type="text/css"/> > <link rel="StyleSheet" href="css/style.css" type="text/css" media="screen"/> > <title>Apache ManifoldCF⢠Login</title> > <script type="text/javascript"> > <!-- > function login() > { > document.loginform.submit(); > } > document.onkeypress = loginKeyPress; > function loginKeyPress(e) > { > e = e || window.event; > if (e.keyCode == 13) > { > document.getElementById('buttonLogin').click(); > return false; > } > return true; > } > //--> > </script> > </head> > <body class="login-page"> > <div class="login-box"> > <div class="login-logo"> > <a href="/"><img src="ManifoldCF-logo.png"/></a> > </div> > <!-- /.login-logo --> > <div class="login-box-body"> > <p class="login-box-msg">Sign in to start your session</p> > <form class="standardform" name="loginform" action="setupAdminProfile.jsp" > method="POST"> > <input type="hidden" name="nextUrl" value="index.jsp? > smafi"><script>alert(1)</script>non7x=1"> > <div class="form-group has-feedback"> > --snip-- > {code} > *Recommendations* > We recommend that the application enforces proper validation on user input. > In most situations where usercontrollable > data is copied into application responses, cross-site scripting attacks can > be prevented using two > layers of defenses: > * Input should be validated as strictly as possible on arrival, given the > kind of content which it is > expected to contain. For example, personal names should consist of > alphabetical and a small range > of typographical characters, and be relatively short; a year of birth should > consist of exactly four > numerals; email addresses should match a well-defined regular expression. > Input which fails the > validation should be rejected, not sanitized. > * User input should be HTML-encoded at any point where it is copied into > application responses. All > HTML metacharacters, including < > " ' and =, should be replaced with the > corresponding HTML > entities (< > etc). > *References* > * OWASP – Cross-site scripting - > [https://www.owasp.org/index.php/Cross-site_Scripting_(XSS]) -- This message was sent by Atlassian Jira (v8.3.4#803005)