Webtrees 1.5.1 Cross-Site-Scripting

2015.01.14
Credit: Eric Sesterhenn
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-100006
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

=== Security Advisory === Webtrees 1.5.1 - Cross-Site-Scripting ------------------------------------------------------------ Affected Version ================ Webtrees 1.5.1 Problem Overview ================ Technical Risk: low Likelihood of Exploitation: medium Vendor: Webtrees Team Reported by: Eric Sesterhenn <snakebyte@gmx.de> Advisory updates: http://www.rusty-ice.de/advisory/advisory_2014001.txt Advisory Status: Public Problem Impact ============== While taking a quick look at the web interface, a XSS issue when a malicious map parameter is supplied. Problem Description =================== The problem manifests in modules_v3/googlemap/wt_v3_street_view.php line 311 where the map GET parameter is embedded into javascript without escaping. The same issue appears with the GET parameter streetview in line 312. The issue can be be easily tested: http://localhost/webtrees-master/modules_v3/googlemap/wt_v3_street_view.php?map=%27%22;%20alert%28%22XSS%22%29;%20b=%22 Temporary Workaround and Fix ============================ Apply the following patch: --- wt_v3_street_view.php.orig 2014-01-03 17:37:40.328119432 +0100 +++ wt_v3_street_view.php 2014-01-04 10:56:05.288790531 +0100 @@ -308,8 +308,8 @@ function initialize() { } // end init -var mapbutt = "<?php echo $_GET['map']; ?>"; -var svbutt = "<?php echo $_GET['streetview']; ?>"; +var mapbutt = <?php echo json_encode($_GET['map']); ?>; +var svbutt = "<?php echo json_encode($_GET['streetview']); ?>"; function toggleStreetView() { var toggle = panorama.getVisible(); if (toggle == false) { @@ -373,8 +373,8 @@ google.maps.event.addDomListener(window, <div id="toggle"> <form name="myForm" title="myForm"> <?php - $map = $_GET['map']; - $reset = $_GET['reset']; + $map = htmlentities($_GET['map']); + $reset = htmlentities($_GET['reset']); echo '<input id="butt1" name ="butt1" type="button" value="', $map, '" onclick="toggleStreetView();"></input>'; echo '<input id="butt2" name ="butt2" type="button" value="', $reset, '" onclick="resetview();"></input>'; ?> History ======= 03.01.2014 - Issue detected 03.01.2014 - Vendor notified 03.01.2014 - Vendor response, code rewritten 04.01.2014 - Proposal of more complete patch 10.02.2014 - fixed version released (1.5.2) 10.02.2014 - Advisory released

References:

http://www.rusty-ice.de/advisory/advisory_2014001.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top