JSPWiki 'Edit.jsp' 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114552 漏洞类型 跨站脚本
发布时间 2008-02-13 更新时间 2008-09-05
CVE编号 CVE-2008-1229 CNNVD-ID CNNVD-200803-117
漏洞平台 JSP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/5112
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200803-117
|漏洞详情
JSPWiki是一个不错的wiki引擎,纯jsp/servlet写的。JSPWiki不使用现成的数据库管理软件,所有的文件以文本文件的形式存放。它利用类似CVS的机制保证了文件版本的完整性。支持中文,支持版本比较、权限管理等功能!JSPWiki中的Edit.jsp存在跨站脚本漏洞,远程攻击者借助编辑参数,注入任意的Web脚本或HTML。
|漏洞EXP
JSPWiki Multiple Vulnerabilities


Vendor:
Janne Jalkanen JSPWiki – http://www.jspwiki.org

Application Description:
From JSPWiki website - “JSPWiki is a feature-rich and extensible WikiWiki engine built around a standart J2EE components (Java, servlets, JSP).”

Tested versions:
JSPWiki v2.4.104
JSPWiki v2.5.139
Earlier versions may also be affected.

JSPWiki Local .jsp File Inclusion Vulnerability.
An input validation problem exists within JSPWiki which allows to execute (include) arbitrary local .jsp files. An attacker may leverage this issue to execute arbitrary server-side script code on a vulnerable server with the privileges of the web server process.

Example (including rss.jsp file from the application root directory):
http://server/JSPWikiPath/Edit.jsp?page=Main&editor=../../../rss

Note: page parameter must be an existing page on the server.

This grants an attacker unauthorized access to sensitive .jsp files on the server and can lead to information disclosure.

Examples:
http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../Install
http://server/JSPWikiPath/Edit.jsp?page=User&editor=../../../admin/SecurityConfig

The first example disclose sensitive information such as the full path of the application on the server, page (and attachments) storage path, log files and work directory by including the application installation (Install.jsp).
The second example disclose the application security configurations by including the JSPWiki Security Configuration Verifier file (admin/SecurityConfig.jsp).

In addition, JSPWiki allow users to upload (attach) files to entry pages. An attacker can use the information disclosed by the installation file to upload a malicious .jsp file and locally execute it.
By executing malicious server-side code, an attacker may be able to compromise the server.


JSPWiki Cross-Site Scripting Vulnerability.
An attacker may leverage cross-site scripting vulnerability to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

Example:
http://server/JSPWikiPath/Edit.jsp?page=Main&editor=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Original Document:
http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0

Download PDF:
http://www.bugsec.com/up_files/JSPWiki_Multiple_Vulnerabilities.pdf

Credit:
Moshe BA
BugSec LTD. - Security Consulting Company
Tel: +972-3-9622655
Fax: +972-3-9511433
Email: Info -at- BugSec -d0t- com
http://www.bugsec.com 

# milw0rm.com [2008-02-13]
|参考资料

来源:XF
名称:jspwiki-edit-xss(40507)
链接:http://xforce.iss.net/xforce/xfdb/40507
来源:BID
名称:27785
链接:http://www.securityfocus.com/bid/27785
来源:MILW0RM
名称:5112
链接:http://www.milw0rm.com/exploits/5112
来源:MISC
链接:http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0
来源:SECUNIA
名称:28969
链接:http://secunia.com/advisories/28969
来源:BUGTRAQ
名称:20080213JSPWikiMultipleVulnerabilities
链接:http://marc.info/?l=bugtraq&m=120300554011544&w=2