Bug 10967 (RXSS) - Reflected XSS vulnerability in www.samba.org
Summary: Reflected XSS vulnerability in www.samba.org
Status: RESOLVED FIXED
Alias: RXSS
Product: Samba Web
Classification: Unclassified
Component: content (show other bugs)
Version: current
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Björn Jacke
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-26 19:20 UTC by Yann CAM
Modified: 2015-03-30 22:08 UTC (History)
3 users (show)

See Also:

Attachments
Canonical Reflected XSS with alert() PoC (193.11 KB, image/png)
2014-11-26 19:20 UTC, Yann CAM 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yann CAM 2014-11-26 19:20:36 UTC 
Created attachment 10463 [details]
Canonical Reflected XSS with alert() PoC

I'm contacting you to inform you about the presence of a Reflected XSS vulnerability on the www.samba.org main domain.

Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Samba pages, or capture users data.

This reflected XSS is on GET "id" variable of the old "JitterBug" tracker, and is not properly sanitized before being used to his page.

The old JitterBug tracker project seems to be suspended, but many others sites and projects continue to use it. There are also affected.

Proof of Concept, tested with Firefox 33.1.1 (screenshot in attachment):

    http://www.samba.org/cgi-bin/jitterbug/CVS?id=1337</TITLE><img src=x onerror="alert(/Reflected XSS - Yann CAM @ASAfety/)" /><TITLE>;selectid=1337

Feel free to contact me for more information,

Best regards,

Yann CAM - Security Consultant @ASafety - Synetis - www.synetis.com
Comment 1 Björn Jacke 2014-11-27 10:58:19 UTC 
thanks for the report, Yann!

Do you see any way to turn off this attack server site like with a X-XSS-Protection header or so?

Dan, Tridge: We should probably just go ahead and disable the live jitterbug, do you agree? Jitterbug will not get a fix for that anymore, right?
Comment 2 Yann CAM 2014-11-27 14:20:37 UTC 
(In reply to Björn Jacke from comment #1)

The X-XSS-Protection header is interesting and necessary but not a sufficient protection for all browsers. It applies only to IE and web-kits browsers.

It is advisable to patch the vulnerability at source in the code.

The OpenLDAP Project is currently using JittlerBug as main bug tracker. I also open a ticket to correct the vulnerability.

OpenLDAP maintainers patched the JittlerBug code last night to protect themselves. View ticket: http://www.openldap.org/its/index.cgi?findid=7988

I invite you to do the same.
Comment 3 Björn Jacke 2014-11-27 15:39:19 UTC 
On 2014-11-27 at 14:20 +0000 samba-bugs@samba.org sent off:
> It is advisable to patch the vulnerability at source in the code.
> 
> The OpenLDAP Project is currently using JittlerBug as main bug tracker. I also
> open a ticket to correct the vulnerability.
> 
> OpenLDAP maintainers patched the JittlerBug code last night to protect
> themselves. View ticket: http://www.openldap.org/its/index.cgi?findid=7988

Tridge: Please let us know what you wanna do here. if we don't hear back from
you we'll disable the jitterbug demo on our web server.

Dan, I corrected the non existing address rubbish@shearer.org to the one that is
correct. Would be nice if you could also have a look into this.
Comment 4 Yann CAM 2014-12-05 13:47:38 UTC 
Hello,

I just checked the JitterBug source code available here : https://jitterbug.samba.org/ftp/jitterbug/jitterbug-1.6.2.tar.gz
The vulnerability seems to be located in the jitterbug.c file at function line 249 : 
void print_title(char *fmt, ...)

This function prints the title of each page with a specific format (line 273) :
vprintf(fmt, ap);

To fix the vulnerability, each call of this "print_title()" function needs to be enforced.

"print_title()" calls are realised at the end of the jitterbug.c file, like this one :
line 2505 : print_title("%s - %s/%s", lp_title(), directory, cgi_variable("id"));
or
line 2547 : print_title("%s - %s/%s", lp_title(), directory, cgi_variable("id"));
or
all occurence of cgi_variable("XXX") reinjected into the HTML source code.

To secure these calls, the cgi.c file provide this function at line 361 :
char *urlquote(char *s)

This function escapes many dangerous chars.

You can try to escape all cgi_variable("id") with the urlquote() function before using the value in the page rendering.

Thank you for keeping me informed,
Comment 5 Yann CAM 2015-03-30 21:29:48 UTC 
Hello,

Have you decided or not concerning the JitterBug project status and in particular the vulnerable demo version on www.samba.org?

Have you tried to compile a version of the tool with the fix in the previous post?

Do not hesitate to contact the members of the OpenLDAP community who have fixed the vulnerability on their portal (http://www.openldap.org/its/index.cgi?findid=7988).

Thank you for keeping me informed,
Comment 6 Björn Jacke 2015-03-30 22:08:22 UTC 
Thanks a lot for the reminder, Yann!

I added this note on the web site now:

--
Jitterbug has known unfixed security vulnerabilities. Unless you know exactly what you are doing, you should not use it any more.
--

And I made the cgi unaccessable on our server now. Further more I moved latest stable version to old-versions. This is all we can and should do I think. In case someone will start maintain jitterbug again (very unlikely I guess) we can change this again.

I'll close this bug now as the web site is fixed finally. RIP jitterbug ;-)