Latest YouTube Video

Friday, May 6, 2016

[FD] Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting

RCE Security Advisory http://ift.tt/1FlL0Pz 1. ADVISORY INFORMATION ======================= Product: Swagger Editor Vendor URL: http://ift.tt/1Fs585c Type: Cross-Site Scripting [CWE-79] Date found: 2015-04-07 Date published: 2016-05-03 CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Swagger Editor v2.9.9 (latest) older versions may be affected too. 4. INTRODUCTION =============== Swagger Editor lets you edit Swagger API specifications in YAML inside your browser and to preview documentations in real time. Valid Swagger JSON descriptions can then be generated and used with the full Swagger tooling (code generation, documentation, etc). (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The application "Swagger Editor" offers the functionality to import Swagger API specifications via a remote YAML/JSON file, but does not properly validate the "description" key within the imported specification file, which could lead to an unauthenticated DOM-based Cross-Site Scripting vulnerability. The following Proof-of-Concept YAML file triggers this vulnerability: swagger: '2.0' info: version: 1.0.0 title: Echo description: '' paths: /: get: responses: '200': description: Echo GET 6. RISK ======= To successfully exploit this vulnerability, the user must be tricked into importing an arbitrary JSON or YAML file either via the file system or via a remote URL. The vulnerability can be used to temporarily embed arbitrary script code into the context of the Swagger Editor interface, which offers a wide range of possible attacks such as client-side context manipulation or attacking the browser and its components. 7. SOLUTION =========== None. 8. REPORT TIMELINE ================== 2015-04-07: Discovery of the vulnerability 2015-04-07: Notified vendor via contact addresses on GitHub 2015-04-14: Notified vendor via contact addresses on GitHub 2015-04-23: Notified vendor via contact addresses on GitHub 2015-05-02: Notified vendor via contact addresses on GitHub 2015-05-02: Vendor states that creating a public GitHub issue is the proper way according to their policy 2016-05-03: Created http://ift.tt/1WNAQCx 2016-05-03: Advisory released 9. REFERENCES ============= http://ift.tt/1WNAQCx

Source: Gmail -> IFTTT-> Blogger

No comments: