Securin Zero-Days

CVE-2017-14651 – Multiple Cross-Site Scripting in WSO2 Data Analytics Server

Severity:Medium

Vendor

WSO2

Affected Product

See Full List Below*

CVE

CVE-2017-14651

Securin ID

2017-CSW-09-1017

Status

Fixed

Date

July 21, 2017

Description

Multiple Reflected Cross-Site Scripting (XSS) vulnerability has been identified on WSO2 Data Analytics Server Products 3.1.0 in the management console. The vulnerability allows an attacker to inject malicious script and can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser, or harm.

 

*Affected Products: API Manager 2.1.0 App Manager 1.2.0 Application Server 5.3.0 Business Process Server 3.6.0 Business Rules Server 2.2.0 Complex Event Processor 4.2.0 Dashboard Server 2.0.0 Data Analytics Server 3.1.0 Data Services Server 3.5.1 Enterprise Integrator 6.1.1 Enterprise Mobility Manager 2.2.0 Governance Registry 5.4.0 Identity Server 5.3.0 IoT Server 3.0.0 Machine Learner 1.2.0 Message Broker 3.2.0 Storage Server 1.5.0

Proof of Concept (POC):

Issue 1: Accessing the POST Request of the URL, https://WSO2IP:9443/carbon/resources/add_collection_ajaxprocessor.jsp with XSS payloads through vulnerable variable collectionName and parentPath will execute XSS in the victim’s browser.

Figure 01: XSS payloads through vulnerable variable collectionName.

Figure 02: Reflected response for the vulnerable variable collectionName with XSS Payload is executed.

Figure 03: XSS payloads through vulnerable variable parentPath (also collection name must be injected with any invalid symbols).

Figure 04: Reflected response for the vulnerable variable parentPath with XSS Payload is executed.

Issue 2: Accessing the GET Request of the URL, https://WSO2IP:9443/carbon/resources/permissions_ajaxprocessor.jsp?path=%2F_system%2Ftest%2Fhack-xss’)”><script>alert(3)</script>&random=1275 will execute XSS in victim’s browser.

Figure 05: GET request URL with XSS payload through path variable is vulnerable to Cross-Site Scripting.

Figure 06: Accessing the GET request is executing XSS payload through the vulnerable variable.

Impact

An attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, and retrieve information from the browser.

Remediations

Download the relevant patch based on your version.

 https://wso2.com/security-patch-releases-notice

Timeline

Jul 08, 2017: Discovered in WSO2 Data Analytics Server Product version 3.1.0
Jul 21, 2017: Reported to WSO2
Jul 21, 2017: WSO2 security team acknowledged the vulnerability
Jul 12, 2017: Issue 01 was confirmed, issue 02 reported earlier, and fixed
Aug 21, 2017: Public patching was in progress
Sep 06, 2017: Updated the patch

Let Securin level up your security posture!