this was fixed back in 2019
https://github.com/apache/roller/commit/07b7858
both 5.2.3 and 6.x should contain the fix.
i just decompiled MathCommentAuthenticator in 6.0.2 to double check and
it was there as expected.
-mbien
On 30.08.21 20:46, Naren wrote:
Apache roller community/Security team,
We are on Apache Roller 6.0.1 and our recent pen test shows this
below xss vulnerability. https://www.cvedetails.com/cve/CVE-2019-0234/
recommends to upgrade Roller blog to 5.2.3, but even with 6.0.1 issue
persists.
Hope we will have security patch for this soon.
Thanks
Naren
*FINDING 3.1 *
*Title *
Reflected Cross Site Scripting (XSS)
*Impact *
An attacker could use this vulnerability to execute arbitrary
JavaScript within the victim’s browser. This could allow an attacker
to hijack sessions, access data that the victim can access, or force
the browser to perform unwanted actions such as redirecting to malware
or a phishing page.
*Recommendations *
Sanitize all user controlled input that is submitted to the
application and filter for JavaScript injection statements. Input that
contains potentially dangerous characters should not be processed by
the application. Escape any user controlled input that is incorporated
in the application response.
*Additional Information *
*NIST SP 800-53 Reference *
SI-10 Information Input Validation
*Testing Process and Evidence *
The pentest team discovered that a captcha in the form of a math
equation solution is required when submitting comments on blog posts.
The solution to the math problem is submitted as the value of the
answer parameter in a request to the
/blog/director/entry/testing-after-pvt-migration-to URL and the value
is incoporated unsanitized in the application response. The screenshot
below demonstrates submitting a cross site scripting payload as the
value of the answer parameter.
*XSS payload submitted as the value of the answer parameter*
The application reflects the value submitted in the “answer” parameter
as part of a message that the math
equation was not solved correctly. This results in the execution of
submitted cross site scripting payload.
The screenshot below demonstrates the execution of JavaScript alert()
with the value of document.domain
#############################
This was reported in 2019
On 2019/07/11 22:14:27, Dave <[email protected]> wrote:
> Severity: Important>
>
> Vendor: The Apache Software Foundation>
>
> Versions affected: Roller 5.2, 5.2.1, 5.2.2. The unsupported
pre-Roller 5.1>
> versions may also be affected.>
>
> Description: Roller's Math Comment Authenticator did not property
sanitize>
> user input and could be exploited to perform Reflected Cross Site
Scripting>
> (XSS).>
>
> Mitigation: The mitigation for this vulnerability is to upgrade to the>
> lastest version of Roller, which is now Roller 5.2.3.>
>
> Credit: This issue was discovered and reported by Muthukumar Marikani>
>
--
Naren
