One Click Orgs, Multiple Vulnerabilities =============== Document Details =============== Version 1.0, 2011-11-19
=============== Background =============== “One Click Orgs allows users to set up a simple, effect legal structure and voting system which can help groups open a bank account, hold property, and keep the whole team involved in day to day decisions.” [1] After I posted a message on London Hackspace offering a security assessment for a community project, One Click Orgs responded and set up a instance of their software to allow me to test it. This was back in August 2011. OneClickOrgs has now corrected these issues, and they have updated their production instance at www.oneclickorgs.com. =============== Versions =============== Version 1.2.1 was tested, users should upgrade to version 1.2.3 to correct the listed vulnerabilities. =============== Finding 1 – Stored Cross Site Scripting =============== Instance 1 The application does not correctly encode the description field of a new vote. JavaScript can then be executed on the voting and proposal screens. The following string can be used as a proof of concept. <img src=”xyz” onerror=”alert(1)” /> Instance 2 Similar to instance one, the description field in the eject member proposal functionality is also vulnerable to stored cross site scripting =============== Finding 2 – Open URL Redirection =============== Description The application accepts any value in the ‘return_to’ field and redirects the user using a 302 to the specified value. This could be used to construct URLs which would contain a valid one click orgs instance, yet redirect the user to another site. PoC URL: http://testorg.oneclickorgs.com/votes/vote_for/8?return_to=http://dmcdonald.net =============== Finding 3 – Email Address is Not Unique =============== Description One Click Orgs allows user to amend their email address to that of another org member. If the user modifying their email address joined the org before the target user, this can prevent the user from logging in. This could also be used to masquerade as another user apparently submitting votes and comments on behalf of another user. However, votes cast would be tied to the userid of the attacking user and this would not allow additional votes. Instances When a user modifies their email address When a user is created through a proposed member vote or when they are added as an initial founder. =============== Finding 4 – 2nd Order SMTP Injection =============== Description One Click Orgs is vulnerable to SMTP Injection. This could be used to send SPAM email messages or exploit any potential vulnerabilities in the SMTP server. Instance 1 Setting the org name to contain double quote marks and newlines allows an attacker to escape the From descriptor when emails are sent to new users. Instance 2 Users can modify their email addresses to include double quotes which causes similar issues. =============== Minor Issues =============== Description One Click Orgs also corrected three other minor issues to improve the security of the application. These issues were a further low risk instance of URL redirection (only exploitable by the inital founding member or an amazingly timed CSRF), autocomplete enabled on login forms, and username discovery through differing login error message. =============== References =============== [1] One Click Orgs Website, http://www.oneclickorgs.com, Accessed 2011-11-19 =============== Links =============== http://dmcdonald.net/?page_id=43 – The latest version of this advisory http://www.oneclickorgs.com – The One Click Orgs Website ----- Renski aka Darren McDonald http://dmcdonald.net M6LUL _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
