Roller WebLogger 多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193451 漏洞类型 跨站脚本
发布时间 2006-09-19 更新时间 2006-09-20
CVE编号 CVE-2006-4856 CNNVD-ID CNNVD-200609-345
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2006090125
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-345
|漏洞详情
RollerWebLogger2.3中存在多个跨站脚本攻击(XSS)漏洞,远程攻击者可以通过(1)name、(2)email或(3)url参数;(4)预览方法中的某些内容参数;或(a)sitesearch.do中的(5)q参数注入任意Web脚本或HTML。
|漏洞EXP

I. BACKGROUND

Roller is the open source blog server that drives Sun Microsystem's blogs.sun.com employee blogging site, IBM DeveloperWorks blogs, thousands of internal blogs at IBM Blog Central, the Javalobby's 10,000 user strong JRoller Java community site, and hundreds of other blogs world-wide. More information is available at the following address:

http://rollerweblogger.org/page/project

II. DESCRIPTION

Remote exploitation of a Cross-Site Scripting (XSS) vulnerability in the Roller allows an attacker to force to inject arbitrary script code into a users session, possibly stealing logon credentials.

To demonstrate the vulnerability, simply embed the following encoded text into the identified vulnerable fields.

>'><script>alert(1234)</script>

This will have the affect of popping up an alert window. This proof of concept could easily be altered to cause the script to return authentication credentials to an attacker controlled server.

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to inject arbitrary script code into the session. This could allow for the theft of authentication information, which could lead to a compromised account.

In order for exploitation to occur, the targeted user would only have to view a blog entry from an attacker. This vulnerability has a high potential for widespread exploitation.

IV. DETECTION

Roller 2.3 Web application has been confirmed vulnerable.

SNORT RULES:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Roller Weblog XSS exploit"; flow:to_server; content:"post"; depth:4; nocase;  content:"method=post"; nocase; pcre:"/(name|email|url).*=.*%22.*%3e.*%3cscript%3e.*%3c%2fscript%3e.*&/i
"; classtype:web-application-activity; sid:9999991; rev:1;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Roller Weblog XSS exploit"; flow:to_server; content:"post"; depth:4; nocase; content:"method=preview"; nocase; pcre:"/content.*=.*%3c%2ftextarea%3e%3cscript%3e.*%3c%2fscript%3e/i"; classtype:web-application-activity; sid:9999992; rev:1;)

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Roller Weblog XSS exploit"; flow:to_server; content:"get"; depth:3; nocase; pcre:"/sitesearch.do?q=.*%3cscript%3e.*%3c%2fscript%3e/i"; classtype:web-application-activity; sid:9999993; rev:1;)

V. WORKAROUND

Cenzic is currently unaware of any effective workarounds that can be implemented on the server in order to mitigate the risk of this vulnerability; however, there are workarounds available for client

protection. Since exploitation allows for the execution of malicious code in web browsers, successful exploitation could be thwarted by disabling script code and active content support within a client browser. Take note that employing this workaround could adversely affect web sites reliant upon the execution of browser-based script code. The following steps can be taken to disable active scripting in

Mozilla and Internet Explorer:

Internet Explorer 5.0, 5.01, 5.5, 6

a. On the Tools menu, click Internet Options, click the Security tab, click the Internet Web content zone, and then click Custom Level.

b. In the Settings box, scroll down to the Scripting section, and click Disable under Active scripting and Scripting of Java applets.

c. Click OK, and then click OK again.

Mozilla Firefox

a. On the Tools menu, click Options and click the Web Features tab.

b. De-select the Enable JavaScript checkbox.

c. Click OK.

VI. VENDOR RESPONSE

We have a release candidate available now for testing, but we need

three votes from the Apache Incubator Program Management Committee

(PMC) before we can make the release official. So let's ask the PMC.

PMC members, please chime in. The release is 2.3 plus one bug fix

(strip markup from name and URL field in comments form). What would

you like to see happen before we call this a release?

You can get the release candidate here:

http://people.apache.org/~snoopdave/

The bug report:

http://opensource.atlassian.com/projects/roller/browse/ROL-1196

Vendor contact name     : Dave Johnson

Vendor contact phone    : N/A

Vendor contact e-mail  :dave[dot]johnson[at]rollerweblogger[dot]org

Vendor reference number : N/A

VII. CVE / CERT INFORMATION

CERT has assigned a tracking number VU#366900. They take upto 45 days to make a public disclosure.

VIII. DISCLOSURE TIMELINE

07/11/2006 Initial vendor notification

07/11/2006 Initial vendor response

??/??/??Coordinated public disclosure

IX. CREDIT

Avinash Shenoi

Cenzic Inc.

X. LEGAL NOTICES

Copyright &copy;

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Cenzic. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically, please email for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
|参考资料

来源:US-CERT
名称:VU#366900
链接:http://www.kb.cert.org/vuls/id/366900
来源:BID
名称:20045
链接:http://www.securityfocus.com/bid/20045
来源:BUGTRAQ
名称:20060915RollerWebloggerXSSvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/446133/100/0/threaded
来源:MISC
链接:http://people.apache.org/~snoopdave/roller-2.3.1-rc1/apache-roller-src-2.3.1-rc1-incubating.tar.gz
来源:MISC
链接:http://opensource.atlassian.com/projects/roller/browse/ROL-1196
来源:VUPEN
名称:ADV-2006-3667
链接:http://www.frsirt.com/english/advisories/2006/3667
来源:SREASON
名称:1597
链接:http://securityreason.com/securityalert/1597
来源:SECUNIA
名称:21964
链接:http://secunia.com/advisories/21964