Date: Mon, 27 Jul 2015 15:28:33 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, Alex Tselegidis <alextselegidis@...il.com> Subject: CVE request: Easy!Appointments 1.0 cross-site scripting vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: Easy!Appointments Open Source Appointment Scheduler Product URL: http://easyappointments.org/ Vendor: Alex Tselegidis Vulnerability Type: Cross Site Scripting (CWE-79) Vulnerable Versions: 1.0 Fixed Version: next release Vendor Notification: 2015-04-03 Solution Status: Fixed by vendor Solution Date: 2015-05-27 Public Disclosure: 2015-07-27 Vulnerability Details: Easy!Appointments contains a flaw that allows a stored cross-site scripting (XSS) attack. This flaw exists because the appointment registration functionality does not validate input to the 'first-name', 'last-name' or 'phone-number' parameters before returning it to authenticated users. This allows a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Root cause: The software does not neutralize user-controllable input before it is placed in output that is used as a web page that is served to authenticated users. Proof-of-concept: 1. Select service and a provider 2. Select date and time 3. Fill in your information using payload as First name: Henri"><img src='#' onerror=alert(document.cookie) /> 4. Log-in as administrator or as provider/secretary 5. Go to "Calendar" 6. Open up the appointment 7. Malicious code is executed Fixed in following commit: https://github.com/alextselegidis/easyappointments/commit/914d3af8c2e513b49bd27955b32b4ce1d50b7325 References: http://cwe.mitre.org/data/definitions/79.html https://en.wikipedia.org/wiki/Cross-site_scripting https://scapsync.com/cwe/CWE-79 https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVtiPxAAoJECet96ROqnV0rbcQAKHk/0l1Z20OQYRD+cDSHDlM dYZQ8ueAhNrIluD9X+KrL5Y0qYcnsliQBwkZS0xeswqS4jIvRtLJuyjJP72aabDA h6JAUnGUIEFn6laKprEebMgexrs1gQ8uI8R2EP00lKipf7S1zfIWfITsjy6rW0oL utBU7jeE9SG0SaUfOj+h5oOaa+yeA0k7kapkl2nmynG7MtWbWxgWwIZkO47+3tI5 q0atLvpOLeh8V2KipTkGsdxsZFeDt778zedL59GqLFFDSUfXBJoIclTM9v4lRvbs Kapgtq9M55KjgSwKMDwCFrQ+uY1xCdswi0RgBiUyDe8REvQYlS7Xf2Pv0WTcrYvm ogNdoPqAK2vSO7MlH9KKXaycQcG3HzblsPEg9BrfdSmNASt7vgongwW6D5yh9nlk U4VBWBrcWRwwQBaIh7BW+0vg0p2Q4pNEjBFA2eAHibTk9hlexbNusyY05ehDLgWI 0EBbaj1pqCydUjK4feYNFMk975S/uPcSW3K+BliGk4fgBkPUsk9XX0zfcTm46QKK AXmEEqlg7DO5AVUKP8bTipwJi4ZjYPEH+fA3DNbdl/OH/eBJXy5ImRxvey31DG54 Bbxabh/gOWlhSRmhT93cEKnBGi9GMUx7oNcpRqglNHd/rSsU4yfySNR4bUf1HzD4 wGK5beno2YAwGfu/INkQ =+FHU -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.