Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTim CoenPACKETSTORM:141682
HistoryMar 17, 2017 - 12:00 a.m.

HumHub 1.0.1 Cross Site Scripting

2017-03-1700:00:00
Tim Coen
packetstormsecurity.com
33
JSON
`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: HumHub 1.0.1 and earlier  
Fixed in: 1.1.1  
Fixed Version https://www.humhub.org/en/download/default/form?version=1.1.1  
Link: &type=zip  
Vendor Website: https://www.humhub.org/  
Vulnerability XSS  
Type:  
Remote Yes  
Exploitable:  
Reported to 01/10/2016  
vendor:  
Disclosed to 03/17/2017  
public:  
Release mode: Coordinated Release  
CVE: n/a  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
HumHub is a social media platform written in PHP. In version 1.0.1 and earlier,  
it is vulnerable to a reflected XSS attack if debugging is enabled, as well as  
a self-XSS attack. This allows an attacker to steal cookies, inject JavaScript  
keyloggers, or bypass CSRF protection.  
  
3. Details  
  
XSS 1: Reflected XSS  
  
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N  
  
Description: When the debug mode is enabled, which it is by default, the  
UserSearch parameter is vulnerable to reflected XSS. Additionally, the  
resulting error page discloses all cookies - even httpOnly cookies -, and the  
contents of the $_SERVER array.  
  
Proof of Concept:  
  
http://localhost/humhub-0.20.0/index.php?UserSearch[last_login]=<script>alert  
(1)</script>&r=admin%2Fuser  
  
XSS 2: DOM-based Self-XSS  
  
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N  
  
There is a reflected DOM-based self-XSS vulnerability in HumHub. It may be  
possible to exploit this issue via ClickJacking in some browsers.  
  
Proof of Concept:  
  
Visit the profile of a user: http://localhost/humhub-0.20.0/index.php?r=  
space%2Fspace&sguid=d2f06d0a-47e1-4549-b469-c8a1df48faca In the "What's on your  
mind?"-text box enter: '"><img src=no onerror=alert(5)>  
  
4. Solution  
  
To mitigate this issue please upgrade at least to version 1.1.1:  
  
https://www.humhub.org/en/download/default/form?version=1.1.1&type=zip  
  
Please note that a newer version might already be available.  
  
5. Report Timeline  
  
01/10/2016 Informed Vendor about Issue  
01/12/2016 Vendor confirms issue  
02/10/2016 Vendor requests more time  
08/16/2016 Vendor releases partial fix  
09/26/2016 Vendor releases fix  
03/27/2017 Disclosed to public  
  
  
Blog Reference:  
https://www.curesec.com/blog/article/blog/HumHub-101-XSS-195.html  
  
--  
blog: https://www.curesec.com/blog  
Atom Feed: https://www.curesec.com/blog/feed.xml  
RSS Feed: https://www.curesec.com/blog/rss.xml  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Josef-Orlopp-StraAe 54  
10365 Berlin, Germany  
  
  
`
JSON