Security Advisories & CVEs
Aside from pentests and trainings – from time to time – I do general security research of open source and commercial products as well as frameworks. During this free research work I've identified several vulnerabilities and responsibly disclosed them to the developers or vendors, helping their products becoming safer (without ordering a pentest).
The following list gives an overview of issues I've identified during this free research along with the security advisories or CVEs that were created. Due to the responsible disclosure process the advisory level of detail is kept at a minimum, while still being a benefit for the users of the software and the security community through a standard notification and CVE process. Where relevant, I work with CERT/CC or CERT-BUND for coordinating the communication and advisory creation. Often vendors follow the guidelines issued by the "Allianz für Cybersicherheit" for handling identified vulnerabilities. As a security researcher I follow MITRE's "CVE Identifier Reservation Guidelines for Researchers" as well as the "Guidelines for Security Vulnerability Reporting and Response" of the Organization for Internet Safety.
Overview
- CVE-2014-5516: CSRF protection bypass in "KonaKart" Java eCommerce product
- CVE-2014-5393: Path traversal to sensitive files in webroot in "JobScheduler" product
- CVE-2014-5392: XML eXternal Entity (XXE) in "JobScheduler" product
- CVE-2014-5391: DOM-based Cross-Site Scripting (XSS) in "JobScheduler" product
- CVE-2014-3574: DoS in OOXML office documents against "Apache POI" library
- CVE-2014-3529: XML eXternal Entity (XXE) Information Disclosure against "Apache POI" library
- CVE-2014-3160: Same-Origin Policy (SOP) bypass using SVG in "Google Chrome" browser
- CVE-2014-3149: Reflected Cross-Site Scripting (XSS) in "Invision Power IP.Board" product
- CVE-2014-2843: Reflected Cross-Site Scripting (XSS) in "infoware MapSuite" product
- CVE-2014-2233: Server-Side Request Forgery (SSRF) in "infoware MapSuite" product
- CVE-2014-2232: Absolute Path Traversal in "infoware MapSuite" product
- CVE-2014-2026: Reflected Cross-Site Scripting (XSS) in "Intrexx Professional" product
- CVE-2014-2025: Remote Code Execution (RCE) via Unrestricted Upload in "Intrexx Professional" product
- CVE-2014-0043: Information Disclosure in "Apache Wicket" web framework
- Reflected Cross-Site Scripting (XSS) + Server-Side Request Forgery (SSRF) in "WebService Test Page" (of Oracle WebLogic server console)
- CVE-2012-1712: Path Traversal in "Java Server Faces (JSF)" web framework (Oracle & Liferay)
Details
CVE-2014-5516 | CSRF protection bypass in "KonaKart" Java eCommerce product |
---|---|
The existing CSRF protection token of KonaKart Storefront Application was checked for
every POST request properly. When modifying the request from POST method to GET method
all state-changing actions worked as well, but the CSRF token protection
was no longer enforced, allowing Cross-Site Request Forgery attacks.
KonaKart 7.3.0.0 fixes this vulnerability. |
|
Exploitability: | Logged-in victim needs to visit malicious webpage of attacker |
Escalation: | CSRF-based overwriting of victim account's mail address escalates to successful password reset process by attacker allowing account takeover |
Researcher credit: | Christian Schneider |
See also: |
Credit from KonaKart vendor
Advisory (via BugTraq) CVE |
CVE-2014-5393 | Path traversal to sensitive files in webroot in "JobScheduler" product |
---|---|
Using specially crafted requests to access the web interface of JobScheduler it is possible
as an underprivileged user ("info" permission) to list directories and read contents of
(sensitive) files from the installation of the JobScheduler web interface, which includes
datasource configurations (for example hibernate.cfg.xml and sos_settings.ini) as well
as permission config files (scheduler.xml). These can include passwords, depending on
which auth backend was defined. This can also be misused to escalate to the higher "all"
permission from the lower "info" permission.
JobScheduler 1.7.4241 as well as JobScheduler 1.6.4246 fixes this vulnerability. |
|
Exploitability: | Attacker accessing the JobScheduler Operations Center (JOC) in SOS JobScheduler remotely with malicious request |
Escalation: | Successful retrieval of database and other backend passwords or similar sensitive config files can lead to further compromises |
Researcher credit: | Christian Schneider |
See also: |
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.7.x)
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.6.x) Advisory (via BugTraq) CVE |
CVE-2014-5392 | XML eXternal Entity (XXE) in "JobScheduler" product |
---|---|
Using a specially crafted request to access the web interface of JobScheduler it is possible
to cause denial of service situations as well as list directories and contents of (sensitive)
files from the filesystem of the server which has the JobScheduler web interface installed.
JobScheduler 1.7.4241 as well as JobScheduler 1.6.4246 fixes this vulnerability. |
|
Exploitability: | Attacker accessing the JobScheduler Operations Center (JOC) in SOS JobScheduler remotely with malicious request |
Escalation: | Successful retrieval of database and other backend passwords or similar sensitive config files can lead to further compromises |
Researcher credit: | Christian Schneider |
See also: |
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.7.x)
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.6.x) Advisory (via BugTraq) CVE |
CVE-2014-5391 | DOM-based Cross-Site Scripting (XSS) in "JobScheduler" product |
---|---|
Using a specially crafted request to access the web interface of JobScheduler it
is possible to execute DOM-based Cross-Site Scripting (XSS) attacks. The content of
the hash-part is written using document.write() from location.hash directly into the HTML,
resulting in the DOM-based XSS. This enables attackers to impersonate victim users
(in context of the origin exposing the JobScheduler) when logged-in victims are accessing
attacker supplied links/sites.
JobScheduler 1.7.4241 as well as JobScheduler 1.6.4246 fixes this vulnerability. |
|
Exploitability: | Victim needs to visit malicious webpage of attacker |
Escalation: | Escalation possible when the origin where the JobScheduler is integrated into is also serving other applications/content |
Researcher credit: | Christian Schneider |
See also: |
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.7.x)
Advisory from Software- & Organisations-Service GmbH (for JobScheduler 1.6.x) Advisory (via BugTraq) CVE |
CVE-2014-3574 | DoS in OOXML office documents against "Apache POI" library |
---|---|
Using a specially crafted (small) office document, which includes XML entity expansions, attackers can crash applications parsing it or make them behave unresponsive due to excessive memory consumption.
Apache POI 3.11-beta2 (released on 2014-08-22) as well as Apache POI 3.10.1 (released on 2014-08-18) fixes several XXE related vulnerabilities. |
|
Exploitability: | Application needs to parse malicious office document of attacker with POI |
Escalation: | Depends on type of XXE vulnerability exploited |
Researcher credit: |
Phil Persad (who independently discovered a similar issue in POI) Christian Schneider |
See also: |
Credit from Apache (project page)
Announcement from Apache Info from SecurityFocus CVE |
CVE-2014-3529 | XML eXternal Entity (XXE) Information Disclosure against "Apache POI" library |
---|---|
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache POI 3.11-beta2 (released on 2014-08-22) as well as Apache POI 3.10.1 (released on 2014-08-18) fixes several XXE related vulnerabilities. |
|
Exploitability: | Application needs to parse malicious office document of attacker with POI |
Escalation: | Depends on type of XXE vulnerability exploited |
Researcher credit: |
Mohamed Ramadan (who independently discovered a similar issue in POI) Christian Schneider |
See also: |
Credit from Apache (project page)
Announcement from Apache Info from SecurityFocus CVE |
CVE-2014-3160 | Same-Origin Policy (SOP) bypass using SVG in "Google Chrome" browser |
---|---|
Attackers can bypass certain aspects of the Same-Origin Policy (SOP) of the Google Chrome browser using specially crafted SVG.
Chrome 36.0.1985.125 for Windows, Mac and Linux fixes this vulnerability. Google Security rewarded the responsible disclosure of this Chrome vulnerability with a bug bounty. |
|
Exploitability: | Victim needs to visit malicious webpage of attacker |
Escalation: | Not possible |
Researcher credit: | Christian Schneider |
See also: |
Advisory from Google
CVE |
CVE-2014-3149 | Reflected Cross-Site Scripting (XSS) in "Invision Power IP.Board" product |
---|---|
Using a specially crafted request to access the web forum software IP.Board it is possible to execute Reflected
Cross-Site Scripting (XSS) attacks. Due to a token-based CSRF protection the actual exploitation is somewhat limited,
since attackers have to trick victims (using Clickjacking or social engineering) into submitting an attacker supplied content.
IP.Board versions below 3.4.6 as well as versions 3.3.x should be secured by applying the patch available from the vendor URL at http://community.invisionpower.com/topic/399747-ipboard-33x-34x-security-update/ |
|
Exploitability: | Clickjacking or social engineering required |
Escalation: | Not possible |
Researcher credit: | Christian Schneider |
See also: |
Advisory from Invision Power
Advisory (via BugTraq) CVE |
CVE-2014-2843 | Reflected Cross-Site Scripting (XSS) in "infoware MapSuite" product |
---|---|
Using a specially crafted URL to access the MapAPI it is possible to execute Reflected
Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate victim users
(in context of the origin exposing the MapAPI) when logged-in victims are accessing
attacker supplied links/sites.
MapSuite should be upgraded as soon as possible to:
|
|
Exploitability: | Victim needs to visit malicious webpage of attacker |
Escalation: | Escalation possible when the origin where the MapAPI is integrated into is also serving other applications/content |
Researcher credit: | Christian Schneider |
See also: |
Advisory (via BugTraq)
CVE |
CVE-2014-2233 | Server-Side Request Forgery (SSRF) in "infoware MapSuite" product |
---|---|
Using a specially crafted URL to access the MapAPI it is possible to issue
HTTP(S) GET requests originating from the attacked server (behind the firewall)
and to read the response. This enables attackers to access web servers that are not
exposed to be accessed from the internet and thus allows to pivot further into the
targeted network.
MapSuite should be upgraded as soon as possible to:
|
|
Exploitability: | Exploitable by unauthenticated attackers |
Escalation: | Escalation possible when sensitive backend web servers are accessible (like unprotected internal-only admin consoles) |
Researcher credit: | Christian Schneider |
See also: |
Advisory (via BugTraq)
CVE |
CVE-2014-2232 | Absolute Path Traversal in "infoware MapSuite" product |
---|---|
It is possible to traverse the server's filesystem (including listing of directory
contents) and read files from the server's filesystem using a specially crafted URL
to access the MapAPI. This enables attackers to get hold of sensitive files from the
server containing passwords, configuration, source code, etc.
MapSuite should be upgraded as soon as possible to:
|
|
Exploitability: | Exploitable by unauthenticated attackers |
Escalation: | Escalation possible when sensitive files (config, passwords, source) are read |
Researcher credit: | Christian Schneider |
See also: |
Advisory (via BugTraq)
CVE |
CVE-2014-2026 | Reflected Cross-Site Scripting (XSS) in "Intrexx Professional" product |
---|---|
Using the request parameter of the search functionality it is possible to execute Reflected
Cross-Site Scripting (XSS) attacks. This enables attackers to impersonate victim users
(in context of the origin exposing the portal) when logged-in victims are accessing
attacker supplied links/sites.
Intrexx Professional should be upgraded as soon as possible to:
|
|
Exploitability: | Victim needs to visit malicious webpage of attacker |
Escalation: | Escalation possible when the origin of the portal is also serving other applications/content |
Researcher credit: | Christian Schneider |
See also: |
Advisory from United Planet
Patch Listings from United Planet CVE |
CVE-2014-2025 | Remote Code Execution (RCE) via Unrestricted Upload in "Intrexx Professional" product |
---|---|
Using an unrestricted file upload it is possible to execute arbitrary code on the remote server
by uploading and remotely executing a malicious file that contains code by the attacker.
Intrexx Professional should be upgraded as soon as possible to:
|
|
Exploitability: | Exploitable by unauthenticated attackers |
Escalation: | Escalation possible by further pivoting into internal network via compromised servers |
Researcher credit: | Christian Schneider |
See also: |
Advisory from United Planet
Patch Listings from United Planet CVE |
CVE-2014-0043 | Information Disclosure in "Apache Wicket" web framework |
---|---|
By issuing requests to special URLs handled by the Apache Wicket web framework it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
The application developers are recommended to upgrade to:
|
|
Exploitability: | Exploitable by unauthenticated attackers |
Escalation: | Not possible |
Researcher credit: | Christian Schneider |
See also: |
Advisory from Apache
CVE |
Reflected Cross-Site Scripting (XSS) + Server-Side Request Forgery (SSRF) in "WebService Test Page" (of Oracle WebLogic server console) |
|
---|---|
By making a specially crafted (attacker controlled) WDSL file available online and using a specially crafted URL with the "WebService Test Page"
(which is part of the installation of WebLogic application server)
reflected XSS attacks and SSRF attacks are possible:
|
|
Exploitability: |
Exploitable by unauthenticated attackers (SSRF) Victim needs to visit malicious webpage of attacker (XSS) |
Escalation: | Escalation to Remote Code Execution (RCE) when victim is authenticated |
Researcher credit: | Christian Schneider |
See also: |
Credit from Oracle as Security-In-Depth Contributor
Article about the danger of CSRF with same-origin XSS |
CVE-2012-1712 | Path Traversal in "Java Server Faces (JSF)" web framework (Oracle & Liferay) |
---|---|
A specially crafted URL string used against JSF portlets can be exploited to read any file from the application's classpath (like web.xml, config properties files, source code, datasource config, etc.). The vulnerability was demonstrated against a Liferay portal running on Apache Tomcat application server. It also works on other JavaEE application servers, as long as JSF portlets are used. | |
Exploitability: | Exploitable by unauthenticated attackers |
Escalation: | Escalation possible when sensitive files (config, passwords, source) are read |
Researcher credit: | Christian Schneider |
See also: |
Advisory from Oracle
CVE |