0000884: "username" Cross-Site Scripting Vulnerability - PacketFence

Notes
(0001450) obilodeau (reporter) 2009-12-22 09:29	I was able to replicate yesterday and I pushed a patch to our mailing list. Here are two emails sent: Olivier Bilodeau wrote: > Hi, > > This afternoon we were referred to a public disclosure of a > vulnerability in PacketFence's admin login categorized as less critical.[1] > > > Fix > === > We have a fix for it. Apply the attached patch which sanitizes username > field before output on a login failure.[2] > > We recommend applying the patch. It should apply cleanly. > > > Impact > ====== > It can be very tricky to see all of the potential impact of an exploited > XSS vulnerability. In this case, the worst I can think of is stealing > your admin session or do any action in the PacketFence's admin panel > with your rights. > > > Exploit > ======= > I am not aware of any exploit code in the wild. Writing an exploit to > steal an admin session would be non-trivial but not hard either. > > > We will think about doing a 1.8.7 release and let you know if we do or > not. Releasing takes time and the patch is trivial. > > I have no evidence that the reporter tried to reach us before public > disclosure. > > [1] http://secunia.com/advisories/37844/ [^] > [2] cd /usr/local; patch -p0 < security-fix-username-xss.patch > Olivier Bilodeau wrote: > Sorry to bother everyone again but I realized I forgot to mention > additional measures that are in place that mitigate the vulnerability: > > 1) There is a forced session timeout of 1 hour in the admin interface. > This means that session stealing or active attacks needs to be performed > inside that window. > > 2) We check that the IP address stored in the session is the same as the > one of the request. > As far as I am aware, you need to be doing layer 2 man-in-the-middle to > have the same IP of the administrator (in which case you would have > other problems anyway). > > The problem is still very real but these countermeasures reduce the > vulnerability window and increases the level of sophistication required > by attackers. > > Do not hesitate to contact us if you have questions / concerns.

(0001451) obilodeau (reporter) 2009-12-22 09:39	fixed in monotone in branch 1.8 at rev: feaa0cc4166911293198b3da841d3ef72c04b03c will be propagated to branch 1.9 we will consider doing an urgent release of the 1.8 branch

(0001452) obilodeau (reporter) 2010-01-06 11:12	1.8.7 released today includes the security fix (among other bugfixes)

Issue History
Date Modified	Username	Field	Change
2009-12-22 09:27	obilodeau	New Issue
2009-12-22 09:27	obilodeau	Status	new => assigned
2009-12-22 09:27	obilodeau	Assigned To	=> obilodeau
2009-12-22 09:29	obilodeau	Note Added: 0001450
2009-12-22 09:30	obilodeau	File Added: security-fix-username-xss.patch
2009-12-22 09:39	obilodeau	Note Added: 0001451
2010-01-06 11:12	obilodeau	Note Added: 0001452
2010-01-06 11:12	obilodeau	Status	assigned => resolved
2010-01-06 11:12	obilodeau	Resolution	open => fixed
2011-01-26 15:43	obilodeau	Status	resolved => closed

Relationships