Logo
Hamburger Menu Icon
Yoroi Background

CVE Advisory - Full Disclosure Multiple Vulnerabilities

Introduction

During a security assessment on FusionDirectory version 1.3 two criticalities have been identified.
FusionDirectory allows to manage data archived in LDAP directories so, as you might imagine, security problems leading to an exposure of personal and enterprise could have a serious impact on the business.

Advisory

https://github.com/fusiondirectory/fusiondirectory/commit/cb349516a641e5933a7f0e0dd3df481b21e7455f

CVE-2022-36180 - Cross Site Scripting – CWE 79

CVE-2022-36180 - Cross Site Scripting – CWE 79
product line
FusionDirectory
version
1.3
Score
6.1
Impact
Medium
owasp category
A03 - Injection
owasp control
WSTG-INPV-02, WSTG-CLNT-03
prerequisites
No special configuration is required to reproduce the issue

Description

FusionDirectory does not sanitize the parameters message and plug. The value of the parameters is reflected within the HTTP response and allows a threat actor to potentially run malicious code inside the browser’s victim.

Owasp Category

A03 – Injection

Client-side scripts are used extensively by modern web applications.
They perform from simple functions (such as the formatting of text) up to full manipulation of client-side data and Operating System interaction. Cross Site Scripting (XSS) allows clients to inject scripts into a request and have the server return the script to the client in the response.
This occurs because the application is taking untrusted data (in this example, from the client) and reusing it without performing any validation or sanitization.
If the injected script is returned immediately this is known as reflected XSS. If the injected script is stored by the server and returned to any client visiting the affected page, then this is known as persistent XSS (also stored XSS).

Proof of concept

Technical Description

The identified vulnerability is a reflected XSS, that is where, the JavaScript code that is about to be run by the unaware victim, is included in the URL itself.
Thanks also to an improper cookie configuration it is possible to steal the identity of the victim that is about to visit the malicious URL, in fact triggering the code execution.

Figure 1 - Reflected XSS attack

Figure 2 - Cookies not protected by the HttpOnly flags

The affected endpoints are the following:

GET /fusiondirectory/index.php?message=<img+src=1+onerror=alert(document.cookie)>

GET /fusiondirectory/index.php?message=invalidparameter&plug=<img+src=1+onerror=alert(document.cookie)>

GET /fusiondirectory/index.php?signout=1&message=<img+src=1+onerror=alert(document.cookie)>&plug=[id]

Impact

It must be stressed that this vulnerability can be exploited by an unauthenticated attacker, leading to an escalation of privileges in relation to the degree of the compromised user.
The session cookie is not protected by the HttpOnly flag, therefore its content can be read by JavaScript and sent to the attacker machine.

Mitigation

Thanks to the close cooperation and directives given to the FusionDirectory developers, it is possible now to mitigate the previously described vulnerabilities updating the application to the version 1.3.1.

Timeline

  • First contact with vendor: 28/06/2022
  • Vulnerabilities confirmed by vendor: 07/07/2022
  • CVE request: 12/07/2022
  • Request for publication: 03/10/2022
  • Agreed release date: 02/11/2022


Reference

https://owasp.org/www-community/attacks/xss/
https://portswigger.net/web-security/cross-site-scripting
https://cwe.mitre.org/data/definitions/79.html

CVE-2022-36179 – Improper Session Handling – CWE 613

CVE-2022-36179 - Improper Session Handling - CWE 613
product line
FusionDirectory
version
1.3
Score
3.1
Impact
Low
owasp category
A07 – Identifications and Authentication Failures
owasp control
WSTG-SESS-01
affected endpont - affected parameter
prerequisites
No special configuration is required to reproduce the issue

Description

FusionDirectory does not renew the session cookie after the user’s login process.

Owasp Category

A07 – Identifications and Authentication Failures
An improper session handling refers to an erroneous management of the session which identifies the user. Typical examples are:

  • Failure to use a cryptographically strong random value as a session identifier
  • Failure to protect the confidentiality of the session identification cookie
  • Failure to renew the session cookie at login
  • Failure to invalidate the session on logout
  • Failure to automatically close the session on the server after a predefined period of inactivity.
  • Failure to invalidate the session after closing the browser

Proof of concept

Technical Description

The application does not renew the session cookie after the login.
More precisely, when the user visits for the first time the login page, the server assigns him a session cookie that does not change after the user uses his credentials to login.

Impact

This vulnerability elevates the impact of the previous one (XSS): it is possible to steal the session cookie and wait for the compromised user to authenticate.

Mitigation

Thanks to the close cooperation and directives given to the FusionDirectory developers, it is possible now to mitigate the previously described vulnerabilities updating the application to the version 1.3.1.

Timeline

  • First contact with vendor: 28/06/2022
  • Vulnerabilities confirmed by vendor: 07/07/2022
  • CVE request: 12/07/2022
  • Request for publication: 03/10/2022
  • Agreed release date: 02/11/2022

Reference

https://owasp.org/www-project-mobile-top-10/2014-risks/m9-improper-session-handling
https://cwe.mitre.org/data/definitions/613.html

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram