Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HumHub 1.0.1 Cross Site Scripting

🗓️ 17 Mar 2017 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 44 Views

HumHub 1.0.1 & Earlier XSS Vulnerabilities: Reflected & Self-XS

Code
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: HumHub 1.0.1 and earlier  
Fixed in: 1.1.1  
Fixed Version https://www.humhub.org/en/download/default/form?version=1.1.1  
Link: &type=zip  
Vendor Website: https://www.humhub.org/  
Vulnerability XSS  
Type:  
Remote Yes  
Exploitable:  
Reported to 01/10/2016  
vendor:  
Disclosed to 03/17/2017  
public:  
Release mode: Coordinated Release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
HumHub is a social media platform written in PHP. In version 1.0.1 and earlier,  
it is vulnerable to a reflected XSS attack if debugging is enabled, as well as  
a self-XSS attack. This allows an attacker to steal cookies, inject JavaScript  
keyloggers, or bypass CSRF protection.  
  
3. Details  
  
XSS 1: Reflected XSS  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description: When the debug mode is enabled, which it is by default, the  
UserSearch parameter is vulnerable to reflected XSS. Additionally, the  
resulting error page discloses all cookies - even httpOnly cookies -, and the  
contents of the $_SERVER array.  
  
Proof of Concept:  
  
http://localhost/humhub-0.20.0/index.php?UserSearch[last_login]=<script>alert  
(1)</script>&r=admin%2Fuser  
  
XSS 2: DOM-based Self-XSS  
  
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
  
There is a reflected DOM-based self-XSS vulnerability in HumHub. It may be  
possible to exploit this issue via ClickJacking in some browsers.  
  
Proof of Concept:  
  
Visit the profile of a user: http://localhost/humhub-0.20.0/index.php?r=  
space%2Fspace&sguid=d2f06d0a-47e1-4549-b469-c8a1df48faca In the "What's on your  
mind?"-text box enter: '"><img src=no onerror=alert(5)>  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 1.1.1:  
  
https://www.humhub.org/en/download/default/form?version=1.1.1&type=zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
01/10/2016 Informed Vendor about Issue  
01/12/2016 Vendor confirms issue  
02/10/2016 Vendor requests more time  
08/16/2016 Vendor releases partial fix  
09/26/2016 Vendor releases fix  
03/27/2017 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/HumHub-101-XSS-195.html  
  
--  
blog: https://www.curesec.com/blog  
Atom Feed: https://www.curesec.com/blog/feed.xml  
RSS Feed: https://www.curesec.com/blog/rss.xml  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Mar 2017 00:00Current
0.2Low risk
Vulners AI Score0.2
humhubphpxssvulnerabilitydebuggingcookiesjavascriptcsrfclickjackingupgradecuresectimelinecuresec research team
44