[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] UBNT Bug Bounty #1 - Client Side Cross Site Scripting Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-08-20 12:37:08
Message-ID: 55D5C9F4.5010501 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
UBNT Bug Bounty #1 - Client Side Cross Site Scripting Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1465
#52988
Release Date:
=============
2015-08-17
Vulnerability Laboratory ID (VL-ID):
====================================
1465
Common Vulnerability Scoring System:
====================================
2.8
Product & Service Introduction:
===============================
Ubiquiti Networks is an American technology company started in 2005. Based in San Jose, California they \
are a manufacturer of wireless products whose primary focus is on under-served and emerging markets.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Ubiquiti_Networks )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a client-side cross site scripting web \
vulnerability in the official Ubnt online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-03-17: Researcher Notification & Coordination (Hadji Samir)
2015-03-18: Vendor Notification (Ubnt Security Team - Bug Bounty Program)
2015-04-03: Vendor Response/Feedback (Ubnt Security Team - Bug Bounty Program)
2015-07-24: Vendor Fix/Patch (Ubnt Developer Team)
2015-08-12: Bug Bounty Reward (Ubnt Security Team - Bug Bounty Program)
2015-08-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Ubiquiti Network
Product: Ubnt Store - Web Application (Online-Service) 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A non persistent cross site scripting web vulnerability has been discovered in the official Cisco \
Newsroom online service web-application. The vulnerability allows remote attackers to hijack website \
customer, moderator or admin sessions data by client-side manipulated cross site requests.
The vulnerability is located in the `bridgename` value of the \
store.ubnt.com/skin/adminhtml/default/default/media/ service module. The injection point of the issue is \
the vulnerable uploader.swf file. Remote attackers are able to inject own script codes to the vulnerable \
GET method request of the uploader.swf module. The attack vector of the vulnerability is located on the \
client-side of the ubnt store web-application. The request method to inject the script code to the \
client-side is `GET`. The execution of the script code occurs in the same swf files context.
The security risk of the non-persistent input validation web vulnerability is estimated as medium with a \
cvss (common vulnerability scoring system) count of 2.8. Exploitation of the client-side cross site \
scripting web vulnerability requires low user interaction (click) and no privileged application user \
account. Successful exploitation results in client-side account theft by hijacking, client-side \
phishing, client-side external redirects and non-persistent manipulation of affected or connected \
service modules.
Request Method(s):
[+] GET
Vulnerable Service(s):
[+] Ubnt Store - (store.ubnt.com/skin/adminhtml/default/default/media/)
Vulnerable Module(s):
[+] uploader.swf
Vulnerable Parameter(s):
[+] bridgeName
Proof of Concept (PoC):
=======================
The remote cross site vulnerability in the swf file can be exploited by remote attackers without \
privileged application user account and with low or medium user interaction. For security demonstration \
or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Example
string attack uploader.swf?bridgeName=1``]));}catch(s){alert('hadjisamir')}//
PoC: Payload
https://store.ubnt.com/skin/adminhtml/default/default/media/uploader.swf?bridgeName=1``]));}catch(s){alert('hadjisamir')}//Hadji \
Samir
Reference(s):
http://store.ubnt.com/ in the (uploader.swf)
http://store.ubnt.com/skin/adminhtml/default/default/media/uploader.swf?
Solution - Fix & Patch:
=======================
Encode the bridgeName value in the uploaded swf files to prevent client-side script code injection \
attacks or cross site scripting.
Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerabilities in the swf file is \
estimated as medium. (CVSS 2.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab \
disclaims all warranties, either expressed or implied, including the warranties of merchantability and \
capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of \
damage, including direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such \
damages. Some states do not allow the exclusion or limitation of liability for consequential or \
incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to \
break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen \
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from \
Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is \
granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research \
Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this \
website is trademark of vulnerability-lab team & the specific authors or managers. To record, list \
(feed), modify, use or edit our material contact (admin@vulnerability-lab.com or \
research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic