Roller Weblogger XSS vulnerability
I. BACKGROUND
Roller is the open source blog server that drives Sun Microsystem's
blogs.sun.com employee blogging site, IBM DeveloperWorks blogs, thousands of
internal blogs at IBM Blog Central, the Javalobby's 10,000 user strong JRoller
Java community site, and hundreds of other blogs world-wide. More information
is available at the following address:
http://rollerweblogger.org/page/project
II. DESCRIPTION
Remote exploitation of a Cross-Site Scripting (XSS) vulnerability in the Roller
allows an attacker to force to inject arbitrary script code into a users
session, possibly stealing logon credentials.
To demonstrate the vulnerability, simply embed the following encoded text into
the identified vulnerable fields.
>'><script>alert(1234)</script>
This will have the affect of popping up an alert window. This proof of concept
could easily be altered to cause the script to return authentication
credentials to an attacker controlled server.
III. ANALYSIS
Successful exploitation of this vulnerability would allow an attacker to inject
arbitrary script code into the session. This could allow for the theft of
authentication information, which could lead to a compromised account.
In order for exploitation to occur, the targeted user would only have to view a
blog entry from an attacker. This vulnerability has a high potential for
widespread exploitation.
IV. DETECTION
Roller 2.3 Web application has been confirmed vulnerable.
SNORT RULES:
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Roller Weblog XSS exploit";
flow:to_server; content:"post"; depth:4; nocase; content:"method=post";
nocase;
pcre:"/(name|email|url).*=.*%22.*%3e.*%3cscript%3e.*%3c%2fscript%3e.*&/i";
classtype:web-application-activity; sid:9999991; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Roller Weblog XSS exploit";
flow:to_server; content:"post"; depth:4; nocase; content:"method=preview";
nocase; pcre:"/content.*=.*%3c%2ftextarea%3e%3cscript%3e.*%3c%2fscript%3e/i";
classtype:web-application-activity; sid:9999992; rev:1;)
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Roller Weblog XSS exploit";
flow:to_server; content:"get"; depth:3; nocase;
pcre:"/sitesearch\.do\?q=.*%3cscript%3e.*%3c%2fscript%3e/i";
classtype:web-application-activity; sid:9999993; rev:1;)
V. WORKAROUND
Cenzic is currently unaware of any effective workarounds that can be
implemented on the server in order to mitigate the risk of this vulnerability;
however, there are workarounds available for client
protection. Since exploitation allows for the execution of malicious code in
web browsers, successful exploitation could be thwarted by disabling script
code and active content support within a client browser. Take note that
employing this workaround could adversely affect web sites reliant upon the
execution of browser-based script code. The following steps can be taken to
disable active scripting in
Mozilla and Internet Explorer:
Internet Explorer 5.0, 5.01, 5.5, 6
a. On the Tools menu, click Internet Options, click the Security tab, click the
Internet Web content zone, and then click Custom Level.
b. In the Settings box, scroll down to the Scripting section, and click Disable
under Active scripting and Scripting of Java applets.
c. Click OK, and then click OK again.
Mozilla Firefox
a. On the Tools menu, click Options and click the Web Features tab.
b. De-select the Enable JavaScript checkbox.
c. Click OK.
VI. VENDOR RESPONSE
We have a release candidate available now for testing, but we need
three votes from the Apache Incubator Program Management Committee
(PMC) before we can make the release official. So let's ask the PMC.
PMC members, please chime in. The release is 2.3 plus one bug fix
(strip markup from name and URL field in comments form). What would
you like to see happen before we call this a release?
You can get the release candidate here:
http://people.apache.org/~snoopdave/
The bug report:
http://opensource.atlassian.com/projects/roller/browse/ROL-1196
Vendor contact name : Dave Johnson
Vendor contact phone : N/A
Vendor contact e-mail :dave[dot]johnson[at]rollerweblogger[dot]org
Vendor reference number : N/A
VII. CVE / CERT INFORMATION
CERT has assigned a tracking number VU#366900. They take upto 45 days to make a
public disclosure.
VIII. DISCLOSURE TIMELINE
07/11/2006 Initial vendor notification
07/11/2006 Initial vendor response
??/??/??Coordinated public disclosure
IX. CREDIT
Avinash Shenoi
Cenzic Inc.
X. LEGAL NOTICES
Copyright ©
Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of Cenzic. If
you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please email
for permission.
Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.