POSH <= 3.2.1 Multiple vulnerabilities
Multiple vulnerabilities in POSH web application
Multiple Cross-Site Scripting vulnerabilities, a design vulnerability and an SQL vulnerability have been found in the last version of POSH getResults($addtoapplication_getUserRssInfo,$DB->quote('rssurl='.$_GET["rssurl"]));
Escape ``$_GET['rssurl']`` with ``$DB->quote()``.
Information leak (design vulnerability)
POSH provides a *remember me* feature that allows users to authenticate once and then use a dedicated cookie to prove their identity. POSH stores the username and md5 digest of the password in this cookie, with absolutely no protection, thus exposing user credentials through XSS.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: -
**CVE-ID**: CVE-2014-2212
Vulnerable code
The vulnerable code is located in */portal/scr_authentif.php*, line 79:
//login request
if (!empty($_COOKIE["autoi"]))
$id = $_COOKIE["autoi"];
$password = $_COOKIE["autop"];
$md5 = true;
Use a per-user unpredictable token instead of storing the user's id and password in a cookie.
Cross-Site Scripting vulnerabilities
Many cross-site scripting vulnerabilities have been found in POSH::
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVE-ID**: CVE-2014-2213
Validate the *id* parameter (must be integer) and escape html-specific characters when displaying the error message.
Arbitrary URL redirection
POSH is prone to an arbitrary URL redirection vulnerability using POST requests, in its script in charge of sending reset password links to users::
POST /posh/portal/scr_sendmd5.php HTTP/1.1
Content-Length: 61
Content-Type: application/x-www-form-urlencoded
Host: <host>
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-601
**CVE-ID**: CVE-2014-2214
Only allow redirection to known pages or remove any leading '/'.
Affected versions
* POSH versions from 3.0 to 3.2.1
* 01/23/2014: vendor notified
* 01/24/2014: vendor answered
* 02/20/2014: vendor issued an official fix
* 02/27/2014: updated CVE-IDs
* http://sourceforge.net/projects/posh/files/Posh%20portal/posh%203.2.1/
* http://sourceforge.net/projects/posh/files/Posh%20portal/posh%203.3.0/ (official fix)
* Anthony BAUBE, Sysdream (a.baube -at- sysdream -dot- com)
* Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
* Website: https://sysdream.com
* Twitter: @sysdream