ID SECURITYVULNS:DOC:31659 Type securityvulns Reporter Securityvulns Modified 2015-01-25T00:00:00
Description
CVE-2015-1032
A cross-site scripting vulnerability in the "Kiwix" zim file reader was
discovered by Emmanuel Engelhart on 31 October 2014, and was reported on
Sourceforge here: http://sourceforge.net/p/kiwix/bugs/763/
This vulnerability does not affect most users of the program, only those
using the "kiwix-serve" binary to allow zim files to be read over a network.
Input to the search bar was not sanitised, thus allowing arbitrary
javascript code to be sent via servers running this program.
This image shows a proof of concept:
http://sourceforge.net/p/kiwix/bugs/763/attachment/ppdhmq.png
This vulnerability was fixed by Emmanuel Engelhart on 8 January 2015
with this commit:
http://sourceforge.net/p/kiwix/kiwix/ci/d1af5f0375c6db24d4071acf4806735725fd206e
{"id": "SECURITYVULNS:DOC:31659", "bulletinFamily": "software", "title": "CVE-2015-1032 Kiwix Cross-Site Scripting Vulnerability", "description": "\r\n\r\nCVE-2015-1032\r\n\r\nA cross-site scripting vulnerability in the "Kiwix" zim file reader was\r\ndiscovered by Emmanuel Engelhart on 31 October 2014, and was reported on\r\nSourceforge here: http://sourceforge.net/p/kiwix/bugs/763/\r\n\r\nThis vulnerability does not affect most users of the program, only those\r\nusing the "kiwix-serve" binary to allow zim files to be read over a network.\r\n\r\nInput to the search bar was not sanitised, thus allowing arbitrary\r\njavascript code to be sent via servers running this program.\r\n\r\nThis image shows a proof of concept:\r\nhttp://sourceforge.net/p/kiwix/bugs/763/attachment/ppdhmq.png\r\n\r\nThis vulnerability was fixed by Emmanuel Engelhart on 8 January 2015\r\nwith this commit:\r\nhttp://sourceforge.net/p/kiwix/kiwix/ci/d1af5f0375c6db24d4071acf4806735725fd206e\r\n\r\n", "published": "2015-01-25T00:00:00", "modified": "2015-01-25T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31659", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2015-1032"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:57", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2018-08-31T11:10:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1032"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805131"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14235"]}], "modified": "2018-08-31T11:10:57", "rev": 2}, "vulnersScore": 5.7}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-12-09T20:03:00", "description": "Cross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when using kiwix-serve, allows remote attackers to inject arbitrary web script or HTML via the pattern parameter to /search.", "edition": 5, "cvss3": {}, "published": "2015-01-21T15:28:00", "title": "CVE-2015-1032", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1032"], "modified": "2018-10-09T19:55:00", "cpe": ["cpe:/a:kiwix:kiwix:0.9"], "id": "CVE-2015-1032", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1032", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:kiwix:kiwix:0.9:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-11T21:22:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1032"], "description": "The host is installed with Kiwix\n and is prone to xss vulnerability.", "modified": "2020-05-07T00:00:00", "published": "2015-01-28T00:00:00", "id": "OPENVAS:1361412562310805131", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805131", "type": "openvas", "title": "Kiwix Server 'pattern' Parameter Cross-Site Scripting Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Kiwix Server 'pattern' Parameter Cross-Site Scripting Vulnerability\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805131\");\n script_version(\"2020-05-07T07:20:00+0000\");\n script_cve_id(\"CVE-2015-1032\");\n script_bugtraq_id(72279);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-07 07:20:00 +0000 (Thu, 07 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-01-28 13:22:01 +0530 (Wed, 28 Jan 2015)\");\n script_name(\"Kiwix Server 'pattern' Parameter Cross-Site Scripting Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Kiwix\n and is prone to xss vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Input passed via the 'pattern' parameter\n to '/search' is not properly sanitised before being returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary HTML and script code in a users browser session\n in the context of an affected site.\");\n\n script_tag(name:\"affected\", value:\"Kiwix version 0.9 and prior.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch manually from the referenced vendor link.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://sourceforge.net/p/kiwix/bugs/763\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/130007\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/534502/100/0/threaded\");\n script_xref(name:\"URL\", value:\"http://sourceforge.net/p/kiwix/kiwix/ci/d1af5f0375c6db24d4071acf4806735725fd206e\");\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 8000);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nhttp_port = http_get_port(default:8000);\n\nrcvRes = http_get_cache(item:\"/\", port:http_port);\n\nif(\">Welcome to Kiwix Server<\" >< rcvRes)\n{\n url = '/search?content=sadas&pattern=<script>' +\n 'alert(document.cookie)</script>';\n\n if(http_vuln_check(port:http_port, url:url, check_header:TRUE,\n pattern:\"<script>alert\\(document.cookie\\)</script>\",\n extra_check:\">Fulltext search unavailable<\"))\n {\n report = http_report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:58", "bulletinFamily": "software", "cvelist": ["CVE-2015-1177", "CVE-2015-1179", "CVE-2015-1180", "CVE-2015-1032", "CVE-2015-1175", "CVE-2015-1176", "CVE-2015-1178"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2015-01-25T00:00:00", "published": "2015-01-25T00:00:00", "id": "SECURITYVULNS:VULN:14235", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14235", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
