[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] UBNT Bug Bounty #1 - Client Side Cross Site Scripting Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-08-20 12:37:08
Message-ID: 55D5C9F4.5010501 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
UBNT Bug Bounty #1 - Client Side Cross Site Scripting Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1465
#52988
Release Date:
=============
2015-08-17
Vulnerability Laboratory ID (VL-ID):
====================================
1465
Common Vulnerability Scoring System:
====================================
2.8
Product & Service Introduction:
===============================
Ubiquiti Networks is an American technology company started in 2005. Based in San \
Jose, California they are a manufacturer of wireless products whose primary focus is \
on under-served and emerging markets.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Ubiquiti_Networks )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a client-side cross site \
scripting web vulnerability in the official Ubnt online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-03-17: Researcher Notification & Coordination (Hadji Samir)
2015-03-18: Vendor Notification (Ubnt Security Team - Bug Bounty Program)
2015-04-03: Vendor Response/Feedback (Ubnt Security Team - Bug Bounty Program)
2015-07-24: Vendor Fix/Patch (Ubnt Developer Team)
2015-08-12: Bug Bounty Reward (Ubnt Security Team - Bug Bounty Program)
2015-08-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Ubiquiti Network
Product: Ubnt Store - Web Application (Online-Service) 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A non persistent cross site scripting web vulnerability has been discovered in the \
official Cisco Newsroom online service web-application. The vulnerability allows \
remote attackers to hijack website customer, moderator or admin sessions data by \
client-side manipulated cross site requests.
The vulnerability is located in the `bridgename` value of the \
store.ubnt.com/skin/adminhtml/default/default/media/ service module. The injection \
point of the issue is the vulnerable uploader.swf file. Remote attackers are able to \
inject own script codes to the vulnerable GET method request of the uploader.swf \
module. The attack vector of the vulnerability is located on the client-side of the \
ubnt store web-application. The request method to inject the script code to the \
client-side is `GET`. The execution of the script code occurs in the same swf files \
context.
The security risk of the non-persistent input validation web vulnerability is \
estimated as medium with a cvss (common vulnerability scoring system) count of 2.8. \
Exploitation of the client-side cross site scripting web vulnerability requires low \
user interaction (click) and no privileged application user account. Successful \
exploitation results in client-side account theft by hijacking, client-side phishing, \
client-side external redirects and non-persistent manipulation of affected or \
connected service modules.
Request Method(s):
[+] GET
Vulnerable Service(s):
[+] Ubnt Store - (store.ubnt.com/skin/adminhtml/default/default/media/)
Vulnerable Module(s):
[+] uploader.swf
Vulnerable Parameter(s):
[+] bridgeName
Proof of Concept (PoC):
=======================
The remote cross site vulnerability in the swf file can be exploited by remote \
attackers without privileged application user account and with low or medium user \
interaction. For security demonstration or to reproduce the vulnerability follow the \
provided information and steps below to continue.
PoC: Example
string attack uploader.swf?bridgeName=1``]));}catch(s){alert('hadjisamir')}//
PoC: Payload
https://store.ubnt.com/skin/adminhtml/default/default/media/uploader.swf?bridgeName=1``]));}catch(s){alert('hadjisamir')}//Hadji \
Samir
Reference(s):
http://store.ubnt.com/ in the (uploader.swf)
http://store.ubnt.com/skin/adminhtml/default/default/media/uploader.swf?
Solution - Fix & Patch:
=======================
Encode the bridgeName value in the uploaded swf files to prevent client-side script \
code injection attacks or cross site scripting.
Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerabilities in the \
swf file is estimated as medium. (CVSS 2.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability-Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php \
- evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material contact \
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic