Feng Office 2.3.2-rc Cross Site Scripting Vulnerability

Advisory ID: HTB23174
Product: Feng Office
Vendor: Secure Data SRL
Vulnerable Version(s): 2.3.2-rc and probably prior
Tested Version: 2.3.2-rc
Advisory Publication:  September 18, 2013  [without technical details]
Vendor Notification: September 18, 2013 
Public Disclosure: October 9, 2013 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-5744
Risk Level: Medium 
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Feng Office, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.


1) Cross-Site Scripting (XSS) in Feng Office: CVE-2013-5744

1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "ref_[any]" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The exploitation example below uses JavaScript "alert()" function to display user's cookies:

http://[host]/index.php?c=access&a=login&ref_abc=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



-----------------------------------------------------------------------------------------------

Solution:

Vendor did not reply to 3 notifications by email, 1 notification by twitter, 1 notification by contact form on website, 1 forum thread, 1 support ticket. Currently we are not aware of any official solution for this vulnerability.

Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23174-patch.zip

#  0day.today [2018-02-18]  #