Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Cross Site Scripting (XSS) in WSO2 Data Analytics Server Version 3.1.0 #15

Open
cybersecurityworks opened this issue Sep 18, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@cybersecurityworks
Copy link
Owner

commented Sep 18, 2017

Details:

WSO2 Product Bug Report
Bug Name: Multiple Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 Data Analytics Server Product.
Version: 3.1.0
Last Updated: 09-09-2015
Homepage: https://wso2.com/analytics
Severity: Medium
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: https://WSO2IP:9443/carbon/resources/add_collection_ajaxprocessor.jsp
Vulnerable Variable: collectionName & parentPath

Description:

Cross Site Scripting (XSS) vulnerability in WSO2 Data Analytics Server Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

Issue 1:

Accessing the POST Request of the URL, https://WSO2IP:9443/carbon/resources/add_collection_ajaxprocessor.jsp with XSS payloads through vulnerable variable collectionName and parentPath will execute XSS in victim’s browser.

xss_01_request

Figure 1: POST request URL, https://WSO2IP:9443/carbon/resources/add_collection_ajaxprocessor.jsp with XSS payloads through vulnerable variable collectionName

xss_01_response

Figure 2:Reflected response for the vulnerable variable collectionName with XSS Payload is executed.

xss_02_request

Figure 3: POST request URL, https://WSO2IP:9443/carbon/resources/add_collection_ajaxprocessor.jsp with XSS payloads through vulnerable variable parentPath (also collection name has to be injected with any invalid symbols)

xss_02_respose

Figure 4: Reflected response for the vulnerable variable parentPath with XSS Payload is executed.

Issue 2:

Accessing the GET Request of the URL https://WSO2IP:9443/carbon/resources/permissions_ajaxprocessor.jsp?path=%2F_system%2Ftest%2Fhack-xss')"><script>alert(3)</script>&random=1275 will execute XSS in victim’s browser.

xss_03_request

Figure 5: GET request URL, https://WSO2IP:9443/carbon/resources/permissions_ajaxprocessor.jsp?path=%2F_system%2Ftest%2Fhack-xss')"><script>alert(3)</script>&random=1275 with XSS payload through path variable is vulnerable to Cross Site Scripting.

xss_03_response

Figure 6: Accessing GET request is executing XSS payload through the vulnerable variable.


Reproducing Steps

  1. Logon into carbon application with given credentials (admin/admin in localhost)
  2. Now, access the vulnerable GET & POST Request URL with payload inserted into the vulnerable variable.
  3. XSS will get executed in the user machine once the user clicks on the given vulnerable link with XSS Payloads for both GET & POST request.

Timeline

2017-06-08 – Discovered in WSO2 Data Analytics Server Product version 3.1.0
2017-06-21 – Reported to security@wso2.com
2017-06-21 – Got instant response from WSO2 security team acknowledging the Vulnerability.
2017-07-12 - Got mail confirming that 1st issue was the new one & 2nd issue have been reported earlier & fixed.
2017-08-21 - Public patching was on progress.
2017-09-06 - Patched and also, gave credits on their pages,
[1] https://docs.wso2.com/display/Security/Acknowledgments
[2] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0265
2017-09-16 - Got Token of Appreciation along with a hard copy of an appreciation certificate.


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.