Date: Mon, 27 Jul 2015 15:28:33 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, Alex Tselegidis <alextselegidis@...il.com> Subject: CVE request: Easy!Appointments 1.0 cross-site scripting vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: Easy!Appointments Open Source Appointment Scheduler Product URL: http://easyappointments.org/ Vendor: Alex Tselegidis Vulnerability Type: Cross Site Scripting (CWE-79) Vulnerable Versions: 1.0 Fixed Version: next release Vendor Notification: 2015-04-03 Solution Status: Fixed by vendor Solution Date: 2015-05-27 Public Disclosure: 2015-07-27 Vulnerability Details: Easy!Appointments contains a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the appointment registration functionality does not validate input to the 'first-name', 'last-name' or 'phone-number' parameters before returning it to authenticated users. This allows a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Root cause: The software does not neutralize user-controllable input before it is placed in output that is used as a web page that is served to authenticated users. Proof-of-concept: 1. Select service and a provider 2. Select date and time 3. Fill in your information using payload as First name: Henri"><img src='#' onerror=alert(document.cookie) /> 4. Log-in as administrator or as provider/secretary 5. Go to "Calendar" 6. Open up the appointment 7. Malicious code is executed Fixed in following commit: https://github.com/alextselegidis/easyappointments/commit/914d3af8c2e513b49bd27955b32b4ce1d50b7325 References: http://cwe.mitre.org/data/definitions/79.html https://en.wikipedia.org/wiki/Cross-site_scripting https://scapsync.com/cwe/CWE-79 https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVtiPxAAoJECet96ROqnV0rbcQAKHk/0l1Z20OQYRD+cDSHDlM dYZQ8ueAhNrIluD9X+KrL5Y0qYcnsliQBwkZS0xeswqS4jIvRtLJuyjJP72aabDA h6JAUnGUIEFn6laKprEebMgexrs1gQ8uI8R2EP00lKipf7S1zfIWfITsjy6rW0oL utBU7jeE9SG0SaUfOj+h5oOaa+yeA0k7kapkl2nmynG7MtWbWxgWwIZkO47+3tI5 q0atLvpOLeh8V2KipTkGsdxsZFeDt778zedL59GqLFFDSUfXBJoIclTM9v4lRvbs Kapgtq9M55KjgSwKMDwCFrQ+uY1xCdswi0RgBiUyDe8REvQYlS7Xf2Pv0WTcrYvm ogNdoPqAK2vSO7MlH9KKXaycQcG3HzblsPEg9BrfdSmNASt7vgongwW6D5yh9nlk U4VBWBrcWRwwQBaIh7BW+0vg0p2Q4pNEjBFA2eAHibTk9hlexbNusyY05ehDLgWI 0EBbaj1pqCydUjK4feYNFMk975S/uPcSW3K+BliGk4fgBkPUsk9XX0zfcTm46QKK AXmEEqlg7DO5AVUKP8bTipwJi4ZjYPEH+fA3DNbdl/OH/eBJXy5ImRxvey31DG54 Bbxabh/gOWlhSRmhT93cEKnBGi9GMUx7oNcpRqglNHd/rSsU4yfySNR4bUf1HzD4 wGK5beno2YAwGfu/INkQ =+FHU -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ