Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Aug 2017 13:43:59 +0000
From: Wen Bin Kong <kongwenbin@...e.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2017-12882, CVE-2017-12881: Stored XSS and CSRF on
 Spring Batch Admin before 1.3.0

Hi,

I found the following vulnerabilities on Spring Batch Admin, below are the CVE ID for reference:

* CVE-2017-12881 - Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the file upload vulnerability

* CVE-2017-12882 - Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality

--------------------------------
Application Description
--------------------------------
Spring Batch Admin provides a web-based user interface that features an admin console for Spring Batch applications and systems. It is an open-source project from Spring. 

--------------------------------
Vulnerable Payload
--------------------------------
/files?path=<script>alert(42)</script>

--------------------------------
Mitigation / Recommendation
--------------------------------
Understand that no patches will be published as product is going to EOL soon. The recommendation given by the vendor is to move off Spring Batch Admin onto Spring Cloud Data Flow going forward. I (discoverer) seconded the recommendation as it will no longer be supported, but if your organisation still require to use this application internally for some reason and does not want to deploy another product to replace it, you can consider entirely removing the file.php page if your team does not require to use it to upload new configurations often. Or implement a fix to sanitise the user controlled 'path' parameter value on the file.php page. 

--------------------------------
Discovery Timeline (key events)
--------------------------------
March 2017 - initial report submitted to Spring team
May 2017 - Spring team shared that the stored xss issue might be fixed indirectly when fixing another issue on directory traversal, thus pending a full audit to confirm this. The CSRF issue is confirmed but it is low risk so they are still determining if they are going to fix it. 
June 2017 - Spring team shared that the open source support policy for Spring Batch Admin states that Spring supports minor versions for 12 months and major version for 3 years. The last minor release of Spring Batch Admin (1.3.0) was in 2014 with one patch release since. As a result, the team is reluctant to commit to something as intensive as a full audit for this application.
July 2017 - Spring team shared that they do not plan to verify or fix the reported issues because they were planning to announce End-Of-Life (EOL) for this project soon. Also, they shared that "It is our recommendation to move off of Spring Batch Admin onto Spring Cloud Data Flow going forward".

Thank you.

Best regards,
Wen Bin

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ