Re: Multiple XSS in KnowledgeTree Community Edition

[advisory () htbridge ch]

15.01.2012 18:30, Henri Salo пишет:
> On Wed, Jan 11, 2012 at 11:50:25AM +0100, advisory () htbridge ch wrote:
> > Advisory ID: HTB23065
> > Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_knowledgetree_community_edition.html
> > Product: KnowledgeTree Commercial and Community Editions
> > Vendor: KnowledgeTree Inc. ( http://knowledgetree.org )
> > Vulnerable Version: 3.7.0.2 and probably prior
> > Tested Version: 3.7.0.2
> > Vendor Notification: 21 December 2011
> > Vendor Patch: 23 December 2011
> > Vulnerability Type: XSS
> > Status: Fixed by Vendor
> > Risk Level: Medium
> > Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )
> >
> >
> > Advisory Details:
> >
> > High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in KnowledgeTree Community Edition, 
> > which can be exploited to perform cross-site scripting attacks.
> >
> > Input appended to the URL after multiple files is not properly sanitised before being returned to the user.
> > This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected 
> > site
> >
> > The following PoC code is available:
> >
> > http://[host]/login.php/%22onmouseover=alert%28document.cookie%29;%3E
> > http://[host]/admin.php/%22onmouseover=alert%28document.cookie%29;%3E
> > http://[host]/admin.php/%22onmouseover=alert%28document.cookie%29;%3E
> > http://[host]/preferences.php/%22onmouseover=alert%28document.cookie%29;%3E
> >
> > Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" 
> > (default value is "default").
> >
> >
> >
> > Solution:
> >
> > Apply Vendor patch:
> > http://www.knowledgetree.org/Security_advisory:_URL_Manipulation
> >
> >
> > Disclaimer: Details of this Advisory may be updated in order to provide as accurate information as possible. The latest 
> > version of the Advisory is available on the web page in Reference field.
> Main page says: "KnowledgeTree Community Edition is unsupported, untested software and not designed for production use. 
> KnowledgeTree Inc. does not warrant this software in any way." and atest version is 3.7, which is released December 2009. 
> Could you give me the URL where they responded to your contact and fixed this vulnerability?
>
> Even their https://issues.knowledgetree.com/ says "Your KnowledgeTree account has been suspended."
>
> If one does fill their form and download this they are still serving 3.7 version. In download-page there is also link 
> http://www.scribd.com/doc/23362922/What%E2%80%99s-New-in-KnowledgeTree-3-7 to "What's new"-page, which is only about 
> Commercial Edition.
>
> Quality product..
>
> - Henri Salo
Hello,

We have managed to contact the Vendor by sourceforge website:

http://sourceforge.net/projects/knowledgetree/
http://sourceforge.net/users/danielchalef

Regards,

High-Tech Bridge SA Security Research Lab