PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000884PacketFencepublic2009-12-22 09:272011-01-26 15:43
Reporterobilodeau 
Assigned Toobilodeau 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0000884: "username" Cross-Site Scripting Vulnerability
DescriptionXSS vulnerability on the admin login

more info here: http://secunia.com/advisories/37844/ [^]
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Filespatch security-fix-username-xss.patch (1,094) 2009-12-22 09:30
https://www.packetfence.org/bugs/file_download.php?file_id=47&type=bug
Issue History
Date ModifiedUsernameFieldChange
2009-12-22 09:27obilodeauNew Issue
2009-12-22 09:27obilodeauStatusnew => assigned
2009-12-22 09:27obilodeauAssigned To => obilodeau
2009-12-22 09:29obilodeauNote Added: 0001450
2009-12-22 09:30obilodeauFile Added: security-fix-username-xss.patch
2009-12-22 09:39obilodeauNote Added: 0001451
2010-01-06 11:12obilodeauNote Added: 0001452
2010-01-06 11:12obilodeauStatusassigned => resolved
2010-01-06 11:12obilodeauResolutionopen => fixed
2011-01-26 15:43obilodeauStatusresolved => closed

Notes
(0001450)
obilodeau   
2009-12-22 09:29   
I was able to replicate yesterday and I pushed a patch to our mailing list.

Here are two emails sent:

Olivier Bilodeau wrote:
> Hi,
>
> This afternoon we were referred to a public disclosure of a
> vulnerability in PacketFence's admin login categorized as less critical.[1]
>
>
> Fix
> ===
> We have a fix for it. Apply the attached patch which sanitizes username
> field before output on a login failure.[2]
>
> We recommend applying the patch. It should apply cleanly.
>
>
> Impact
> ======
> It can be very tricky to see all of the potential impact of an exploited
> XSS vulnerability. In this case, the worst I can think of is stealing
> your admin session or do any action in the PacketFence's admin panel
> with your rights.
>
>
> Exploit
> =======
> I am not aware of any exploit code in the wild. Writing an exploit to
> steal an admin session would be non-trivial but not hard either.
>
>
> We will think about doing a 1.8.7 release and let you know if we do or
> not. Releasing takes time and the patch is trivial.
>
> I have no evidence that the reporter tried to reach us before public
> disclosure.
>
> [1] http://secunia.com/advisories/37844/ [^]
> [2] cd /usr/local; patch -p0 < security-fix-username-xss.patch
>



Olivier Bilodeau wrote:
> Sorry to bother everyone again but I realized I forgot to mention
> additional measures that are in place that mitigate the vulnerability:
>
> 1) There is a forced session timeout of 1 hour in the admin interface.
> This means that session stealing or active attacks needs to be performed
> inside that window.
>
> 2) We check that the IP address stored in the session is the same as the
> one of the request.
> As far as I am aware, you need to be doing layer 2 man-in-the-middle to
> have the same IP of the administrator (in which case you would have
> other problems anyway).
>
> The problem is still very real but these countermeasures reduce the
> vulnerability window and increases the level of sophistication required
> by attackers.
>
> Do not hesitate to contact us if you have questions / concerns.
(0001451)
obilodeau   
2009-12-22 09:39   
fixed in monotone in branch 1.8 at rev: feaa0cc4166911293198b3da841d3ef72c04b03c
will be propagated to branch 1.9

we will consider doing an urgent release of the 1.8 branch
(0001452)
obilodeau   
2010-01-06 11:12   
1.8.7 released today includes the security fix (among other bugfixes)