CVE-2017-12882, CVE-2017-12881: Stored XSS and CSRF on Spring Batch Admin before 1.3.0

[Wen Bin Kong <kongwenbin () live com>]

Hi,

I found the following vulnerabilities on Spring Batch Admin, below are the CVE ID for reference:

* CVE-2017-12881 - Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote 
attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the 
file upload vulnerability

* CVE-2017-12882 - Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 allows remote 
authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality

--------------------------------
Application Description
--------------------------------
Spring Batch Admin provides a web-based user interface that features an admin console for Spring Batch applications and 
systems. It is an open-source project from Spring. 

--------------------------------
Vulnerable Payload
--------------------------------
/files?path=<script>alert(42)</script>

--------------------------------
Mitigation / Recommendation
--------------------------------
Understand that no patches will be published as product is going to EOL soon. The recommendation given by the vendor is 
to move off Spring Batch Admin onto Spring Cloud Data Flow going forward. I (discoverer) seconded the recommendation as 
it will no longer be supported, but if your organisation still require to use this application internally for some 
reason and does not want to deploy another product to replace it, you can consider entirely removing the file.php page 
if your team does not require to use it to upload new configurations often. Or implement a fix to sanitise the user 
controlled 'path' parameter value on the file.php page. 

--------------------------------
Discovery Timeline (key events)
--------------------------------
March 2017 - initial report submitted to Spring team
May 2017 - Spring team shared that the stored xss issue might be fixed indirectly when fixing another issue on 
directory traversal, thus pending a full audit to confirm this. The CSRF issue is confirmed but it is low risk so they 
are still determining if they are going to fix it. 
June 2017 - Spring team shared that the open source support policy for Spring Batch Admin states that Spring supports 
minor versions for 12 months and major version for 3 years. The last minor release of Spring Batch Admin (1.3.0) was in 
2014 with one patch release since. As a result, the team is reluctant to commit to something as intensive as a full 
audit for this application.
July 2017 - Spring team shared that they do not plan to verify or fix the reported issues because they were planning to 
announce End-Of-Life (EOL) for this project soon. Also, they shared that "It is our recommendation to move off of 
Spring Batch Admin onto Spring Cloud Data Flow going forward".

Thank you.

Best regards,
Wen Bin