Jaws 1.1.1 Open Redirect / Object Injection / Cookie Flags

Type packetstorm
Reporter Tim Coen
Modified 2016-11-18T00:00:00


                                            `Security Advisory - Curesec Research Team  
1. Introduction  
Affected Product: Jaws 1.1.1  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: http://jaws-project.com/  
Vulnerability Type: Object Injection, Open Redirect, Cookie Flags  
Remote Exploitable: Yes  
Reported to vendor: 09/05/2016  
Disclosed to public: 11/10/2016  
Release mode: Full Disclosure  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
2. Overview  
Jaws is a content management system written in PHP. In version 1.1.1, it is  
vulnerable to various low to medium impact issues. It contains an Object  
Injection, which does not seem to be currently exploitable without custom  
changes made by users; its session cookies are not set to httpOnly, which may  
make it easier to exploit XSS issues; and it contains an Open Redirect issue.  
3. Details  
Open Redirect / Phishing  
After a login is performed, a user is redirected to a website defined in the  
URL, which may be exploited in phishing attacks.  
Note that the redirect only works if the user was not logged in previously, and  
then only after a login is performed.  
Proof of Concept:  
687474703a2f2f6578616d706c652e636f6d.html 687474703a2f2f6578616d706c652e636f6d  
is the result of a hex2bin call.  
Object Injection  
All parameters passed to the application are passed to unserialize, making the  
application vulnerable to Object Injection.  
Currently, there does not seem to be code that can be exploited via Object  
Injection, but this may change in the future, or users may have custom code  
which isn't in itself vulnerable, but would result in vulnerable code in  
combination with this issue.  
Proof of Concept:  
All values passed to the application are vulnerable, for example a cookie: GET  
/jaws-complete-1.1.1/admin.php?checksess HTTP/1.1 Host: localhost  
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:  
JAWSSESSID=O:{}; Connection: close Cache-Control: max-age=0  
Cookie Flags  
The JAWSSESSID cookie does not have the httpOnly flag set, making it slightly  
easier to exploit XSS vulnerabilities.  
4. Solution  
This issue was not fixed by the vendor.  
5. Report Timeline  
09/05/2016 Informed Vendor about Issue (no reply)  
09/15/2016 Reminded Vendor of Disclosure Date (no reply)  
11/10/2016 Disclosed to public  
Blog Reference:  
blog: https://www.curesec.com/blog  
tweet: https://twitter.com/curesec  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany