AOH :: HP Unsorted J :: BU-1853.HTM

jQuery Validate 1.6.0 Demo Code Advisory



jQuery Validate 1.6.0 Demo Code Advisory
jQuery Validate 1.6.0 Demo Code Advisory



+----------------------------------------------+
   ADVISORY =96 jQuery Validate 1.6.0 Demo Code  
                                               
   AFFECTED PACKAGES                           
       > jQuery Validate 1.6.0                 
       > SilverStripe 2.3.X to 2.3.5           
                                               
   Discovered By CodeScan.com                  
+----------------------------------------------+

Vendor's Website:  
http://bassistance.de/jquery-plugins/jquery-plugin-validation/ 


CodeScan Labs (www.codescan.com), has recently 
released a new source code scanning tool, 
CodeScan. CodeScan is an advanced auditing tool 
designed to check web application source code 
for security vulnerabilities. CodeScan utilises 
an intelligent source code parsing engine, 
traversing execution paths and tracking the flow
of user supplied input.

During the ongoing testing of CodeScan PHP, the 
jQuery.Validate demonstration code was discovered
within another project.  




<<<   CROSS SITE SCRIPTING THROUGH ECHO   >>>

XSS in [form.php], folder [demo].  
(Full Path:  


$user = $_REQUEST['user'];
$pw = $_REQUEST['password'];
if($user && $pw && $pw == "foobar")
    echo "Hi $user, welcome back."


<<<   PROOF OF CONCEPT   >>>

http://[host]/validate/demo/form.php?user=%3Cscript%3Ealert%28%27Proof%20of%20Concept%27%29;%3C/script%3E&password=foobar 


<<<   YES, WE REALISE THIS IS DEMO CODE   >>>

A simple Google search unearthed a number of 
results for the existence of this plugin/demo
within SVN repositories, as well as on live web
servers.  Demo or not, it has been included in
distributions (Such as SilverStripe) =96 and has
been deployed in live environments.


<<<   RESPONSIBLE DISCLOSURE   >>>

We have attempted to make contact with the 
author of this plugin, to no avail.

We successfully made contact with the 
SilverStripe team who promptly tidied up.
Quick response, well done.  

<<<   EXPLICIT RECCOMENDATIONS   >>>

SilverStripe Users:  Upgrade to the latest
version of SilverStripe (2.3.6 at time of
writing), and ensure the file is deleted.

Other Users:  Chances are you do not need
this file in your project, so delete the
[form.php] file.  Otherwise, ensure proper
Sanitization.

 
<<<   CLOSING NOTES   >>>

You may be able to write secure code, but the
code you get from third parties can put you at
risk.  Always review the code of third parties
(including/especially plug ins) =96 not doing so
puts you at unnecessary risk.

-- =0D
This message has been scanned for viruses and=0D
dangerous content by Bizo EmailFilter, and is=0D
believed to be clean.=0D


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.