Created
February 16, 2022 20:53
-
-
Save pb-nsi/4d0a1ede76d4e97083b3435f820bf560 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> [Suggested description] | |
> A reflected cross-site scripting (XSS) vulnerability in forms | |
> generated by JQueryForm.com before 2022-02-05 allows remote attackers | |
> to inject arbitrary web script or HTML via the redirect parameter to | |
> admin.php. | |
> | |
> ------------------------------------------ | |
> | |
> [Vulnerability Type] | |
> Cross Site Scripting (XSS) | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> JQueryForm.com | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022. | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> admin.php -- the admin login page for a JQueryForm.com form. | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [CVE Impact Other] | |
> Injection of arbitrary HTML or web script content via an unsanitized GET parameter. | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> This is a reflected XSS vulnerability. In order to be exploited, someone must click a malicious link containing the arbitrary HTML or web script. | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Paul Bisso at nou Systems, Inc. | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://JQueryForm.com | |
> https://www.nou-systems.com/cyber-security | |
Use CVE-2022-24981. | |
> [Suggested description] | |
> Forms generated by JQueryForm.com before 2022-02-05 allows a remote | |
> authenticated attacker to access the cleartext credentials of all | |
> other form users. admin.php contains a hidden base64-encoded string | |
> with these credentials. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> The admin.php page, post-authentication, contains a hidden base64-encoded string in the HTML source that contains the usernames and passwords for all authorized users of the form. | |
> | |
> ------------------------------------------ | |
> | |
> [Vulnerability Type] | |
> Incorrect Access Control | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> JQueryForm.com | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022. | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> admin.php | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Information Disclosure] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> To exploit vulnerability, an attacker must be logged in to the administrative section of the form. | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Paul Bisso at nou Systems, Inc. | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://JQueryForm.com | |
> https://www.nou-systems.com/cyber-security | |
Use CVE-2022-24982. | |
> [Suggested description] | |
> Forms generated by JQueryForm.com before 2022-02-05 allow remote | |
> attackers to obtain the URI to any uploaded file by capturing the POST | |
> response. When chained with CVE-2022-24984, this could lead to | |
> unauthenticated remote code execution on the underlying web server. | |
> This occurs because the Unique ID field is contained in the POST | |
> response upon submitting a form. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> Four pieces of information are required to know the URI -- the | |
> directory, the field number, the filename, and the unique ID. The | |
> directory defaults to /data/; the field number can be known by | |
> inspecting the form's HTML or intercepting the POST request when | |
> submitting a form; and the filename is under the attacker's control. | |
> The unique ID is the key. In all forms before 2022-02-05, the unique | |
> ID is contained in the POST response upon submitting a form, allowing | |
> an attacker knowledge of the exact URI at which to access an uploaded | |
> file. | |
> | |
> No authentication is required to upload a file and obtain its URI. | |
> | |
> ------------------------------------------ | |
> | |
> [VulnerabilityType Other] | |
> Path Disclosure | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> JQueryForm.com | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> All forms with file upload capability generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022. | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> form.html | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Information Disclosure] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> To exploit vulnerability, someone must submit a vulnerable form and capture the POST response. | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Paul Bisso at nou Systems, Inc. | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://JQueryForm.com | |
> https://www.nou-systems.com/cyber-security | |
Use CVE-2022-24983. | |
> [Suggested description] | |
> Forms generated by JQueryForm.com before 2022-02-05 (if file-upload | |
> capability is enabled) allow remote unauthenticated attackers to | |
> upload executable files and achieve remote code execution. This occurs | |
> because file-extension checks occur on the client side, and because | |
> not all executable content (e.g., .phtml or .php.bak) is blocked. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> The reason for this vulnerability is that file extension checking on | |
> the upload occurs client-side, and is thus easily bypassed by | |
> intercepting the POST request and tampering with the uploaded file. | |
> Server-side, forms generated prior to June 2019 (at least) will append | |
> a .bak extension to some filetypes often interpreted as PHP code by | |
> web servers (e.g. .php). However, there are two problems with this | |
> approach: (1) if .bak files are not blacklisted from executing PHP | |
> code, appending a .bak extension does not prevent PHP code from being | |
> executed. We have observed this behavior in the wild. Also, users of | |
> the form software are not notified that they must blacklist .bak | |
> extensions in order to use the forms safely. (2) not all filetypes | |
> known to execute valid PHP code have .bak appended. .phtml files, for | |
> instance, do not have .bak appended. | |
> | |
> Forms generated between sometime after June 2019 (we're not sure when) | |
> and Feb. 5, 2022 append .bak extensions to all file uploads, | |
> regardless of extension. This still faces problem (1), where web | |
> servers that do not blacklist .bak files may interpret those files as | |
> valid PHP (or other code), enabling unauthenticated RCE. | |
> | |
> In order to fully exploit this RCE vulnerability, it must be chained | |
> together with the path disclosure vulnerability for forms with file | |
> upload capability. That vulnerability is also disclosed in this | |
> submission. | |
> | |
> ------------------------------------------ | |
> | |
> [VulnerabilityType Other] | |
> File Upload | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> JQueryForm.com | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> All forms with file upload capability generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022. | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> Forms generated by JQueryForm.com with file upload capability. | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Code execution] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> To exploit this vulnerability, an unauthenticated attacker must do the | |
> following: fill out a vulnerable form containing file upload | |
> capability, submit the form and intercept the POST request, alter the | |
> uploaded file to be a malicious file that the web server will execute, | |
> submit the POST request, and capture the POST response (to know the | |
> path to the uploaded file). At that point, the attacker will have been | |
> able to (1) upload a malicious file and (2) know its path. At that | |
> point, the attacker must only browse to that path to cause execution | |
> of the malicious file. | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Paul Bisso at nou Systems, Inc. | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://JQueryForm.com | |
> https://www.nou-systems.com/cyber-security | |
Use CVE-2022-24984. | |
> [Suggested description] | |
> Forms generated by JQueryForm.com before 2022-02-05 allows a remote | |
> authenticated attacker to bypass authentication and access the | |
> administrative section of other forms hosted on the same web server. | |
> This is relevant only when an organization hosts more than one of | |
> these forms on their server. | |
> | |
> ------------------------------------------ | |
> | |
> [Additional Information] | |
> This vulnerability only applies when an organization hosts more than 1 | |
> JQueryForm.com form on their server. Authentication status is stored | |
> in the $_SESSION['authenticated'] variable, which is checked prior to | |
> checking authentication credentials. An attacker can thus ride the | |
> successful authentication on 1 form to bypass authentication on all | |
> other forms hosted on the same server. | |
> | |
> ------------------------------------------ | |
> | |
> [Vulnerability Type] | |
> Incorrect Access Control | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> JQueryForm.com | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022. | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> admin.php | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Escalation of Privileges] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Information Disclosure] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> To exploit the vulnerability, an attacker must be able to log in to the administrative section of a separate form hosted on the same server. | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Paul Bisso at nou Systems, Inc. | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://JQueryForm.com | |
> https://www.nou-systems.com/cyber-security | |
Use CVE-2022-24985. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I did not understand that you can explain more