Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Reflected Cross Site Scripting (XSS) in WSO2 Product (Data Analytics Server Version 3.2.0) #17

Open
cybersecurityworks opened this issue Nov 27, 2019 · 0 comments

Comments

@cybersecurityworks
Copy link
Owner

Details:

WSO2 Product Bug Report
Bug Name: Multiple Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 Data Analytics Server Product.
Version: 3.2.0
Homepage: https://wso2.com/
Severity: Medium
Status: Fixed
Exploitation Requires Authentication?: yes

Vulnerable URL:
[1] https://WSO2IP:9443/carbon/properties/properties-ajaxprocessor.jsp
[2] https://WSO2IP:9443/carbon/ndatasource/newdatasource.jsp

Vulnerable Variable:
[1] path & name
[2] dsProvider

Description:

Cross Site Scripting (XSS) vulnerability in WSO2 Data Analytics Server Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

Issue 1 & 2:

Access the URL, and add XSS payload xss”><script>alert(1)</script> through vulnerable variable path & name to execute XSS in the POST request URL.
1
Figure 1: Access the URL
2
Figure 2: Add new property.
3
Figure 3: XSS payload added to path variable and gets reflected in the response.
4
Figure 4: Injected XSS payload gets reflected in the browser.
5
Figure 5: XSS payload added to name variable and gets reflected in the response.
6
Figure 6: Injected XSS payload gets reflected in the browser.

Issue 3:
Access the GET request URL (added with XSS payload) directly to see XSS getting reflected in the browser.
7
Figure 7: Access the URL to add new Data Source
8
Figure 8: capturing the GET request and added XSS payload gets reflected in the response.
9
Figure 9: Injected XSS payload, XSS%22%3e%3cscript%3ealert(1)%3c/script%3e through vulnerable dsProvider gets reflected whenever the user tries to access the URL.


Reproducing Steps

Issue 01 & 02:

  1. Logon into data analytics server with given credentials (admin/admin in localhost) in the URL (Localhost IP)
  2. Now, access the URL
  3. Add new property and capture the request in proxy and send it to repeater.
  4. Add XSS payload xss"><script>alert(1)</script> to path & name variable one by one.
  5. Then, the Injected XSS Payload xss"><script>alert(1)</script> will get reflected in the response.

Issue 03:

  1. Logon into data analytics server with given credentials (admin/admin in localhost) in the URL (Localhost IP)
  2. Now, access the URL to add new Data Source with encoded XSS payload XSS%22%3e%3cscript%3ealert(1)%3c/script%3e and submit the data which gets reflected in the browser.
  3. Or access the URL (added with XSS payload) directly to see XSS getting reflected in the browser.

Timeline

2019-05-04 – Discovered in WSO2 Data Analytics Server Product version 3.1.0
2019-05-04 – Reported to security@wso2.com
2019-05-07 - Got response from WSO2 security team, "We are looking into the issues you have reported. We will keep you posted regarding the progress of our evaluation of them."
2019-05-09 - Got mail confirming the Issue 3 and rejecting the Issue 1 & 2 are not a valid issue.
2019-07-12 - Customer Announcement - End of July, Public Announcement: End of August.
2019-08-13 - Customer Announcement is done. Public Announcement is scheduled.
2019-09-10 - Public Announcement is done. Please refer [1] for Security Advisory

Note: Since, we have contributed WSO2-2017-0265 to WSO2 team, our name already got listed in their security acknowledgment page [2]

[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0616
[2] https://docs.wso2.com/display/Security/Acknowledgments


Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant