[jira] [Assigned] (CONNECTORS-1597) reflected cross-site scripting vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Karl Wright reassigned CONNECTORS-1597: --- Assignee: Kishore Kumar (was: Karl Wright) > reflected cross-site scripting vulnerability > > > Key: CONNECTORS-1597 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1597 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Assignee: Kishore Kumar >Priority: Minor > > This is the full report of a penetration test, performed at a client where we > deployed a system which uses manifold: > *Summary* > A reflected cross-site scripting vulnerability was discovered in the > application. > Reflected cross-site scripting occurs when a web application displays data > submitted by the user that > contains HTML markup and scripting code without properly escaping it. An > attacker will create a link to the > vulnerable page that will display JavaScript code crated by the attacker. The > attacker will then trick an > authenticated application user into clicking or following this crated link. > When the user's browser parses the > generated page, it will execute the code crafted by the attacker. If the user > was logged in to the application > when he followed the link, the attacker's code could perform any action in > the application that the user can > perform. > *Impact* > Reflected cross-site scripting can be used by attackers to compromise the > session of an authenticated user. > By persuading the victim to click on a specially crafted link, the attacker > can execute his own JavaScript > payload in the browser context of the victim. In this specific case, an > attacker could hijack its victim's session > given that the session token is not flagged as HttpOnly as demonstrated in > [G190204T1F4][MANIFOLD] > Insecure Cookie Configuration. > Additional attacks exist where an attacker can deceive end users of the > application by redirecting them to > replica sites or trick them into downloading trojans or other malware. The > attacker can also use a so called > browser exploitation framework. In this scenario the attacker injects > JavaScript code that communicates to > the attack framework running on the attacker's computer. When the victim user > executes the JavaScript code > the attacker can control the victim's browser. Publicly available frameworks > exist (BeEF - > [http://www.bindshell.net/tools/beef], Backframe > -[http://www.gnucitizen.org/projects/backframe/], XSS Proxy - > [http://xss-proxy.sourceforge.net/]). > *Affected Systems* > * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] [name of an arbitrarily > supplied URL parameter] > *Description* > A case where the application includes user input into the generated HTML > pages without properly escaping > the user supplied data was discovered in the application. The HTTP requests > and responses shown below > demonstrate the problem. > {code:java} > GET /mcf-crawler-ui/?smafi">alert(1)non7x=1 HTTP/1.1 > Host: els-manifold-uat.bc:8475 > Accept-Encoding: gzip, deflate > Accept: */* > Accept-Language: en > User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; > Trident/5.0) > Connection: close > Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18 > {code} > {code:java} > HTTP/1.1 200 OK > Server: nginx/1.12.2 > Date: Mon, 18 Feb 2019 13:07:02 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 2576 > Connection: close > Pragma: No-cache > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Cache-Control: no-cache > max-age: Thu, 01 Jan 1970 00:00:00 GMT > > > > http://www.w3.org/1999/xhtml;> > > > > > type="text/css"/> > > Apache ManifoldCF⢠Login > > > > > > > > > > > > Sign in to start your session > method="POST"> > alert(1)non7x=1"> > > --snip-- > {code} > *Recommendations* > We recommend that the application enforces proper validation on user input. > In most situations where usercontrollable > data is copied into application responses, cross-site scripting attacks can > be prevented using two > layers of defenses: > * Input should be validated as strictly as possible on arrival, given the > kind of content which it is > expected to contain. For example, personal names should consist of > alphabetical and a small range > of typographical characters, and be relatively short; a year of birth should > consist of exactly four > numerals; email addresses should match a
[jira] [Assigned] (CONNECTORS-1597) reflected cross-site scripting vulnerability
[ https://issues.apache.org/jira/browse/CONNECTORS-1597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Karl Wright reassigned CONNECTORS-1597: --- Assignee: Karl Wright > reflected cross-site scripting vulnerability > > > Key: CONNECTORS-1597 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1597 > Project: ManifoldCF > Issue Type: Improvement > Components: API >Affects Versions: ManifoldCF 2.12 >Reporter: roel goovaerts >Assignee: Karl Wright >Priority: Minor > > This is the full report of a penetration test, performed at a client where we > deployed a system which uses manifold: > *Summary* > A reflected cross-site scripting vulnerability was discovered in the > application. > Reflected cross-site scripting occurs when a web application displays data > submitted by the user that > contains HTML markup and scripting code without properly escaping it. An > attacker will create a link to the > vulnerable page that will display JavaScript code crated by the attacker. The > attacker will then trick an > authenticated application user into clicking or following this crated link. > When the user's browser parses the > generated page, it will execute the code crafted by the attacker. If the user > was logged in to the application > when he followed the link, the attacker's code could perform any action in > the application that the user can > perform. > *Impact* > Reflected cross-site scripting can be used by attackers to compromise the > session of an authenticated user. > By persuading the victim to click on a specially crafted link, the attacker > can execute his own JavaScript > payload in the browser context of the victim. In this specific case, an > attacker could hijack its victim's session > given that the session token is not flagged as HttpOnly as demonstrated in > [G190204T1F4][MANIFOLD] > Insecure Cookie Configuration. > Additional attacks exist where an attacker can deceive end users of the > application by redirecting them to > replica sites or trick them into downloading trojans or other malware. The > attacker can also use a so called > browser exploitation framework. In this scenario the attacker injects > JavaScript code that communicates to > the attack framework running on the attacker's computer. When the victim user > executes the JavaScript code > the attacker can control the victim's browser. Publicly available frameworks > exist (BeEF - > [http://www.bindshell.net/tools/beef], Backframe > -[http://www.gnucitizen.org/projects/backframe/], XSS Proxy - > [http://xss-proxy.sourceforge.net/]). > *Affected Systems* > * [https://els-manifold-uat.bc:8475/mcf-crawler-ui/] [name of an arbitrarily > supplied URL parameter] > *Description* > A case where the application includes user input into the generated HTML > pages without properly escaping > the user supplied data was discovered in the application. The HTTP requests > and responses shown below > demonstrate the problem. > {code:java} > GET /mcf-crawler-ui/?smafi">alert(1)non7x=1 HTTP/1.1 > Host: els-manifold-uat.bc:8475 > Accept-Encoding: gzip, deflate > Accept: */* > Accept-Language: en > User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; > Trident/5.0) > Connection: close > Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18 > {code} > {code:java} > HTTP/1.1 200 OK > Server: nginx/1.12.2 > Date: Mon, 18 Feb 2019 13:07:02 GMT > Content-Type: text/html;charset=utf-8 > Content-Length: 2576 > Connection: close > Pragma: No-cache > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Cache-Control: no-cache > max-age: Thu, 01 Jan 1970 00:00:00 GMT > > > > http://www.w3.org/1999/xhtml;> > > > > > type="text/css"/> > > Apache ManifoldCF⢠Login > > > > > > > > > > > > Sign in to start your session > method="POST"> > alert(1)non7x=1"> > > --snip-- > {code} > *Recommendations* > We recommend that the application enforces proper validation on user input. > In most situations where usercontrollable > data is copied into application responses, cross-site scripting attacks can > be prevented using two > layers of defenses: > * Input should be validated as strictly as possible on arrival, given the > kind of content which it is > expected to contain. For example, personal names should consist of > alphabetical and a small range > of typographical characters, and be relatively short; a year of birth should > consist of exactly four > numerals; email addresses should match a well-defined regular