Jaws 1.1.1: Object Injection, Open Redirect, Cookie Flags

["Curesec Research Team (CRT)" <crt () curesec com>]

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Jaws 1.1.1
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://jaws-project.com/
Vulnerability Type:  Object Injection, Open Redirect, Cookie Flags
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 11/10/2016
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

Jaws is a content management system written in PHP. In version 1.1.1, it is
vulnerable to various low to medium impact issues. It contains an Object
Injection, which does not seem to be currently exploitable without custom
changes made by users; its session cookies are not set to httpOnly, which may
make it easier to exploit XSS issues; and it contains an Open Redirect issue.

3. Details

Open Redirect / Phishing

After a login is performed, a user is redirected to a website defined in the
URL, which may be exploited in phishing attacks.

Note that the redirect only works if the user was not logged in previously, and
then only after a login is performed.

Proof of Concept:

http://localhost/jaws-complete-1.1.1/index.php/users/login/referrer/
687474703a2f2f6578616d706c652e636f6d.html 687474703a2f2f6578616d706c652e636f6d
is the result of a hex2bin call.

Object Injection

All parameters passed to the application are passed to unserialize, making the
application vulnerable to Object Injection.

Currently, there does not seem to be code that can be exploited via Object
Injection, but this may change in the future, or users may have custom code
which isn't in itself vulnerable, but would result in vulnerable code in
combination with this issue.

Proof of Concept:

All values passed to the application are vulnerable, for example a cookie: GET
/jaws-complete-1.1.1/admin.php?checksess HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
JAWSSESSID=O:{}; Connection: close Cache-Control: max-age=0

Cookie Flags

The JAWSSESSID cookie does not have the httpOnly flag set, making it slightly
easier to exploit XSS vulnerabilities.

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/05/2016 Informed Vendor about Issue (no reply)
09/15/2016 Reminded Vendor of Disclosure Date (no reply)
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Jaws-111-Object-Injection-Open-Redirect-Cookie-Flags-168.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/