The Samba-Bugzilla – Bug 10967
Reflected XSS vulnerability in www.samba.org
Last modified: 2015-03-30 22:08:22 UTC
Created attachment 10463 [details]
Canonical Reflected XSS with alert() PoC
I'm contacting you to inform you about the presence of a Reflected XSS vulnerability on the www.samba.org main domain.
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Samba pages, or capture users data.
This reflected XSS is on GET "id" variable of the old "JitterBug" tracker, and is not properly sanitized before being used to his page.
The old JitterBug tracker project seems to be suspended, but many others sites and projects continue to use it. There are also affected.
Proof of Concept, tested with Firefox 33.1.1 (screenshot in attachment):
http://www.samba.org/cgi-bin/jitterbug/CVS?id=1337</TITLE><img src=x onerror="alert(/Reflected XSS - Yann CAM @ASAfety/)" /><TITLE>;selectid=1337
Feel free to contact me for more information,
Yann CAM - Security Consultant @ASafety - Synetis - www.synetis.com
thanks for the report, Yann!
Do you see any way to turn off this attack server site like with a X-XSS-Protection header or so?
Dan, Tridge: We should probably just go ahead and disable the live jitterbug, do you agree? Jitterbug will not get a fix for that anymore, right?
(In reply to Björn Jacke from comment #1)
The X-XSS-Protection header is interesting and necessary but not a sufficient protection for all browsers. It applies only to IE and web-kits browsers.
It is advisable to patch the vulnerability at source in the code.
The OpenLDAP Project is currently using JittlerBug as main bug tracker. I also open a ticket to correct the vulnerability.
OpenLDAP maintainers patched the JittlerBug code last night to protect themselves. View ticket: http://www.openldap.org/its/index.cgi?findid=7988
I invite you to do the same.
On 2014-11-27 at 14:20 +0000 email@example.com sent off:
> It is advisable to patch the vulnerability at source in the code.
> The OpenLDAP Project is currently using JittlerBug as main bug tracker. I also
> open a ticket to correct the vulnerability.
> OpenLDAP maintainers patched the JittlerBug code last night to protect
> themselves. View ticket: http://www.openldap.org/its/index.cgi?findid=7988
Tridge: Please let us know what you wanna do here. if we don't hear back from
you we'll disable the jitterbug demo on our web server.
Dan, I corrected the non existing address firstname.lastname@example.org to the one that is
correct. Would be nice if you could also have a look into this.
I just checked the JitterBug source code available here : https://jitterbug.samba.org/ftp/jitterbug/jitterbug-1.6.2.tar.gz
The vulnerability seems to be located in the jitterbug.c file at function line 249 :
void print_title(char *fmt, ...)
This function prints the title of each page with a specific format (line 273) :
To fix the vulnerability, each call of this "print_title()" function needs to be enforced.
"print_title()" calls are realised at the end of the jitterbug.c file, like this one :
line 2505 : print_title("%s - %s/%s", lp_title(), directory, cgi_variable("id"));
line 2547 : print_title("%s - %s/%s", lp_title(), directory, cgi_variable("id"));
all occurence of cgi_variable("XXX") reinjected into the HTML source code.
To secure these calls, the cgi.c file provide this function at line 361 :
char *urlquote(char *s)
This function escapes many dangerous chars.
You can try to escape all cgi_variable("id") with the urlquote() function before using the value in the page rendering.
Thank you for keeping me informed,
Have you decided or not concerning the JitterBug project status and in particular the vulnerable demo version on www.samba.org?
Have you tried to compile a version of the tool with the fix in the previous post?
Do not hesitate to contact the members of the OpenLDAP community who have fixed the vulnerability on their portal (http://www.openldap.org/its/index.cgi?findid=7988).
Thank you for keeping me informed,
Thanks a lot for the reminder, Yann!
I added this note on the web site now:
Jitterbug has known unfixed security vulnerabilities. Unless you know exactly what you are doing, you should not use it any more.
And I made the cgi unaccessable on our server now. Further more I moved latest stable version to old-versions. This is all we can and should do I think. In case someone will start maintain jitterbug again (very unlikely I guess) we can change this again.
I'll close this bug now as the web site is fixed finally. RIP jitterbug ;-)