POSH <= 3.2.1 Multiple vulnerabilities
Multiple Cross-Site Scripting vulnerabilities, a design vulnerability and an SQL vulnerability have been found in the last version of POSH================================================
Multiple vulnerabilities in POSH web application
================================================
Description
===========
Multiple Cross-Site Scripting vulnerabilities, a design vulnerability and an SQL vulnerability have been found in the last version of POSH getResults($addtoapplication_getUserRssInfo,$DB->quote('rssurl='.$_GET["rssurl"]));
$var="rssurl=".urlencode($_GET["rssurl"])."&";
}
else
{
$DB->getResults($addtoapplication_getRssInfo,$_GET["rssurl"],$DB->escape($_GET["pid"]));
}
--------
Solution
--------
Escape ``$_GET['rssurl']`` with ``$DB->quote()``.
Information leak (design vulnerability)
=======================================
POSH provides a *remember me* feature that allows users to authenticate once and then use a dedicated cookie to prove their identity. POSH stores the username and md5 digest of the password in this cookie, with absolutely no protection, thus exposing user credentials through XSS.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: -
**CVE-ID**: CVE-2014-2212
---------------
Vulnerable code
---------------
The vulnerable code is located in */portal/scr_authentif.php*, line 79:
//login request
if (!empty($_COOKIE["autoi"]))
{
$id = $_COOKIE["autoi"];
$password = $_COOKIE["autop"];
$md5 = true;
}
--------
Solution
--------
Use a per-user unpredictable token instead of storing the user's id and password in a cookie.
Cross-Site Scripting vulnerabilities
====================================
Many cross-site scripting vulnerabilities have been found in POSH::
http://host/includes/plugins/mobile/scripts/login.php?error=<script>alert('XSS')</script>
http://host/portal/openrssarticle.php?id=alert('XSS')
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVE-ID**: CVE-2014-2213
--------
Solution
--------
Validate the *id* parameter (must be integer) and escape html-specific characters when displaying the error message.
Arbitrary URL redirection
=========================
POSH is prone to an arbitrary URL redirection vulnerability using POST requests, in its script in charge of sending reset password links to users::
POST /posh/portal/scr_sendmd5.php HTTP/1.1
Content-Length: 61
Content-Type: application/x-www-form-urlencoded
Host: <host>
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
redirect=%2f%2fwww.sysdream.com&update=Send&username=kjjascli
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-601
**CVE-ID**: CVE-2014-2214
--------
Solution
--------
Only allow redirection to known pages or remove any leading '/'.
Affected versions
=================
* POSH versions from 3.0 to 3.2.1
Timeline
========
* 01/23/2014: vendor notified
* 01/24/2014: vendor answered
* 02/20/2014: vendor issued an official fix
* 02/27/2014: updated CVE-IDs
References
==========
* http://sourceforge.net/projects/posh/files/Posh%20portal/posh%203.2.1/
* http://sourceforge.net/projects/posh/files/Posh%20portal/posh%203.3.0/ (official fix)
Credits
=======
* Anthony BAUBE, Sysdream (a.baube -at- sysdream -dot- com)
* Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
Contact
=======
* Website: https://sysdream.com
* Twitter: @sysdream