[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] UBNT Bug Bounty #1 - Client Side Cross Site Scripting Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-08-20 12:37:08
Message-ID: 55D5C9F4.5010501 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
UBNT Bug Bounty #1 - Client Side Cross Site Scripting Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1465
#52988
Release Date:
=============
2015-08-17
Vulnerability Laboratory ID (VL-ID):
====================================
1465
Common Vulnerability Scoring System:
====================================
2.8
Product & Service Introduction:
===============================
Ubiquiti Networks is an American technology company started in 2005. Based in San Jose, \
California they are a manufacturer of wireless products whose primary focus is on under-served \
and emerging markets.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Ubiquiti_Networks )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a client-side cross site scripting web \
vulnerability in the official Ubnt online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-03-17: Researcher Notification & Coordination (Hadji Samir)
2015-03-18: Vendor Notification (Ubnt Security Team - Bug Bounty Program)
2015-04-03: Vendor Response/Feedback (Ubnt Security Team - Bug Bounty Program)
2015-07-24: Vendor Fix/Patch (Ubnt Developer Team)
2015-08-12: Bug Bounty Reward (Ubnt Security Team - Bug Bounty Program)
2015-08-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Ubiquiti Network
Product: Ubnt Store - Web Application (Online-Service) 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A non persistent cross site scripting web vulnerability has been discovered in the official \
Cisco Newsroom online service web-application. The vulnerability allows remote attackers to \
hijack website customer, moderator or admin sessions data by client-side manipulated cross site \
requests.
The vulnerability is located in the `bridgename` value of the \
store.ubnt.com/skin/adminhtml/default/default/media/ service module. The injection point of \
the issue is the vulnerable uploader.swf file. Remote attackers are able to inject own script \
codes to the vulnerable GET method request of the uploader.swf module. The attack vector of \
the vulnerability is located on the client-side of the ubnt store web-application. The request \
method to inject the script code to the client-side is `GET`. The execution of the script code \
occurs in the same swf files context.
The security risk of the non-persistent input validation web vulnerability is estimated as \
medium with a cvss (common vulnerability scoring system) count of 2.8. Exploitation of the \
client-side cross site scripting web vulnerability requires low user interaction (click) and no \
privileged application user account. Successful exploitation results in client-side account \
theft by hijacking, client-side phishing, client-side external redirects and non-persistent \
manipulation of affected or connected service modules.
Request Method(s):
[+] GET
Vulnerable Service(s):
[+] Ubnt Store - (store.ubnt.com/skin/adminhtml/default/default/media/)
Vulnerable Module(s):
[+] uploader.swf
Vulnerable Parameter(s):
[+] bridgeName
Proof of Concept (PoC):
=======================
The remote cross site vulnerability in the swf file can be exploited by remote attackers \
without privileged application user account and with low or medium user interaction. For \
security demonstration or to reproduce the vulnerability follow the provided information and \
steps below to continue.
PoC: Example
string attack uploader.swf?bridgeName=1``]));}catch(s){alert('hadjisamir')}//
PoC: Payload
https://store.ubnt.com/skin/adminhtml/default/default/media/uploader.swf?bridgeName=1``]));}catch(s){alert('hadjisamir')}//Hadji \
Samir
Reference(s):
http://store.ubnt.com/ in the (uploader.swf)
http://store.ubnt.com/skin/adminhtml/default/default/media/uploader.swf?
Solution - Fix & Patch:
=======================
Encode the bridgeName value in the uploaded swf files to prevent client-side script code \
injection attacks or cross site scripting.
Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerabilities in the swf file \
is estimated as medium. (CVSS 2.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic