Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Jaws 1.1.1 Open Redirect / Object Injection / Cookie Flags Vulnerabilities

🗓️ 19 Nov 2016 00:00:00Reported by Tim CoenType 
zdt
 zdt🔗 0day.today👁 29 Views

Jaws 1.1.1 contains Open Redirect, Object Injection, and Cookie Flags vulnerabilities, allowing for potential phishing attacks and exploitation of XSS issues

Code
1. Introduction

Affected Product:    Jaws 1.1.1
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://jaws-project.com/
Vulnerability Type:  Object Injection, Open Redirect, Cookie Flags
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 11/10/2016
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

Jaws is a content management system written in PHP. In version 1.1.1, it is
vulnerable to various low to medium impact issues. It contains an Object
Injection, which does not seem to be currently exploitable without custom
changes made by users; its session cookies are not set to httpOnly, which may
make it easier to exploit XSS issues; and it contains an Open Redirect issue.

3. Details

Open Redirect / Phishing

After a login is performed, a user is redirected to a website defined in the
URL, which may be exploited in phishing attacks.

Note that the redirect only works if the user was not logged in previously, and
then only after a login is performed.

Proof of Concept:

http://localhost/jaws-complete-1.1.1/index.php/users/login/referrer/
687474703a2f2f6578616d706c652e636f6d.html 687474703a2f2f6578616d706c652e636f6d
is the result of a hex2bin call.

Object Injection

All parameters passed to the application are passed to unserialize, making the
application vulnerable to Object Injection.

Currently, there does not seem to be code that can be exploited via Object
Injection, but this may change in the future, or users may have custom code
which isn't in itself vulnerable, but would result in vulnerable code in
combination with this issue.

Proof of Concept:

All values passed to the application are vulnerable, for example a cookie: GET
/jaws-complete-1.1.1/admin.php?checksess HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
JAWSSESSID=O:{}; Connection: close Cache-Control: max-age=0

Cookie Flags

The JAWSSESSID cookie does not have the httpOnly flag set, making it slightly
easier to exploit XSS vulnerabilities.

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/05/2016 Informed Vendor about Issue (no reply)
09/15/2016 Reminded Vendor of Disclosure Date (no reply)
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Jaws-111-Object-Injection-Open-Redirect-Cookie-Flags-168.html

#  0day.today [2018-04-09]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Nov 2016 00:00Current
0.3Low risk
Vulners AI Score0.3
jaws 1.1.1open redirectobject injectioncookie flagsphpvulnerabilitiesremote exploitablefull disclosurecuresec gmbhvendor websitereport timelineblog reference
29