eramba Enterprise / Community Cross Site Scripting

2016-12-16T00:00:00
ID PACKETSTORM:140185
Type packetstorm
Reporter Yunus YILDIRIM
Modified 2016-12-16T00:00:00

Description

                                        
                                            `# Exploit Title: eramba Enterprise & Community Editions Stored XSS  
# Author: Yunus YILDIRIM (Th3GundY)  
# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com  
# Website: www.yunus.ninja  
# Contact: yunusyildirim@protonmail.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: eramba Open-Source IT GRC   
Description: eramba is a web-application that helps with the analysis, management and reporting of Security,   
Governance, Risk and Compliance challenges.  
Founded in 2011 and followed by a community of tens of thousands, we are building the leading  
open-source GRC application on Internet.  
Vendor URL: http://www.eramba.org  
Download Link: http://www.eramba.org/resources/download/  
  
  
2. VULNERABILITY SUMMARY  
========================  
  
Stored XSS in Notification Page.  
eramba is vulnerable to a stored XSS when an user created Notifications with an  
malicious payload on the "Notification Name" field.  
The html/javascript payload is executed when another user tries to use the  
see Notifications.  
  
  
  
3. TECHNICAL DETAILS  
========================  
  
Stored XSS in Notification Page.  
eramba is vulnerable to a stored XSS when an user created Notifications with an  
malicious payload on the "Notification Name" field.  
The html/javascript payload is executed when another user tries to use the  
see Notifications.  
  
  
4. PROOF OF CONCEPT  
========================  
  
PoC for Enterprise or Community Edition:  
1- Go, System - Settings - Notifications menu or   
Just go http://<eramba-IP>/notificationSystem/attach/Project  
2- Click Manage button  
3- Add Warning or Add Awareness or Add Default. You can select anyone of them.  
4- In "Notification Name" field, here is the payload "><svg/onload=prompt(/CT-Zer0/)>   
5- Save it, you see pop-up  
/notificationSystem/index/Project  
  
PoC Video: https://www.youtube.com/watch?v=03xNMcpXqTs  
  
  
5. AFFECTED VERSIONS  
====================  
Community Edition <= c1.0.6.001  
Enterprise Edition <= e1.0.6.018  
  
  
Vulnerability Disclosure Timeline:  
=========================  
29/11/2016 - Contact With Vendor  
30/11/2016 - Vendor Response  
14/12/2016 - Public Dislosure  
`