Apache roller community/Security team,
We are on Apache Roller 6.0.1 and our recent pen test shows
this below xss vulnerability. https://www.cvedetails.com/cve/CVE-2019-0234/
recommends to upgrade Roller blog to 5.2.3, but even with 6.0.1 issue
persists.
Hope we will have security patch for this soon.
Thanks
Naren
*FINDING 3.1 *
*Title *
Reflected Cross Site Scripting (XSS)
*Impact *
An attacker could use this vulnerability to execute arbitrary JavaScript
within the victim’s browser. This could allow an attacker to hijack
sessions, access data that the victim can access, or force the browser to
perform unwanted actions such as redirecting to malware or a phishing page.
*Recommendations *
Sanitize all user controlled input that is submitted to the application and
filter for JavaScript injection statements. Input that contains potentially
dangerous characters should not be processed by the application. Escape any
user controlled input that is incorporated in the application response.
*Additional Information *
*NIST SP 800-53 Reference *
SI-10 Information Input Validation
*Testing Process and Evidence *
The pentest team discovered that a captcha in the form of a math equation
solution is required when submitting comments on blog posts. The solution
to the math problem is submitted as the value of the answer parameter in a
request to the /blog/director/entry/testing-after-pvt-migration-to URL and
the value is incoporated unsanitized in the application response. The
screenshot below demonstrates submitting a cross site scripting payload as
the value of the answer parameter.
*XSS payload submitted as the value of the answer parameter*
The application reflects the value submitted in the “answer” parameter as
part of a message that the math
equation was not solved correctly. This results in the execution of
submitted cross site scripting payload.
The screenshot below demonstrates the execution of JavaScript alert() with
the value of document.domain
#############################
This was reported in 2019
On 2019/07/11 22:14:27, Dave <[email protected]> wrote:
> Severity: Important>
>
> Vendor: The Apache Software Foundation>
>
> Versions affected: Roller 5.2, 5.2.1, 5.2.2. The unsupported pre-Roller
5.1>
> versions may also be affected.>
>
> Description: Roller's Math Comment Authenticator did not property
sanitize>
> user input and could be exploited to perform Reflected Cross Site
Scripting>
> (XSS).>
>
> Mitigation: The mitigation for this vulnerability is to upgrade to the>
> lastest version of Roller, which is now Roller 5.2.3.>
>
> Credit: This issue was discovered and reported by Muthukumar Marikani>
>
--
Naren
