Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150727122833.GA15328@lakka.kapsi.fi>
Date: Mon, 27 Jul 2015 15:28:33 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, Alex Tselegidis <alextselegidis@...il.com>
Subject: CVE request: Easy!Appointments 1.0 cross-site scripting vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: Easy!Appointments Open Source Appointment Scheduler
Product URL: http://easyappointments.org/
Vendor: Alex Tselegidis
Vulnerability Type: Cross Site Scripting (CWE-79)
Vulnerable Versions: 1.0
Fixed Version: next release
Vendor Notification: 2015-04-03
Solution Status: Fixed by vendor
Solution Date: 2015-05-27
Public Disclosure: 2015-07-27

Vulnerability Details:

Easy!Appointments contains a flaw that allows a stored cross-site scripting
(XSS) attack. This flaw exists because the appointment registration
functionality does not validate input to the 'first-name', 'last-name' or
'phone-number' parameters before returning it to authenticated users. This
allows a context-dependent attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser session within the trust
relationship between their browser and the server.

Root cause:

The software does not neutralize user-controllable input before it is placed in
output that is used as a web page that is served to authenticated users.

Proof-of-concept:

1. Select service and a provider
2. Select date and time
3. Fill in your information using payload as First name:
    Henri"><img src='#' onerror=alert(document.cookie) />
4. Log-in as administrator or as provider/secretary
5. Go to "Calendar"
6. Open up the appointment
7. Malicious code is executed

Fixed in following commit:
    https://github.com/alextselegidis/easyappointments/commit/914d3af8c2e513b49bd27955b32b4ce1d50b7325

References:
    http://cwe.mitre.org/data/definitions/79.html
    https://en.wikipedia.org/wiki/Cross-site_scripting
    https://scapsync.com/cwe/CWE-79
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJVtiPxAAoJECet96ROqnV0rbcQAKHk/0l1Z20OQYRD+cDSHDlM
dYZQ8ueAhNrIluD9X+KrL5Y0qYcnsliQBwkZS0xeswqS4jIvRtLJuyjJP72aabDA
h6JAUnGUIEFn6laKprEebMgexrs1gQ8uI8R2EP00lKipf7S1zfIWfITsjy6rW0oL
utBU7jeE9SG0SaUfOj+h5oOaa+yeA0k7kapkl2nmynG7MtWbWxgWwIZkO47+3tI5
q0atLvpOLeh8V2KipTkGsdxsZFeDt778zedL59GqLFFDSUfXBJoIclTM9v4lRvbs
Kapgtq9M55KjgSwKMDwCFrQ+uY1xCdswi0RgBiUyDe8REvQYlS7Xf2Pv0WTcrYvm
ogNdoPqAK2vSO7MlH9KKXaycQcG3HzblsPEg9BrfdSmNASt7vgongwW6D5yh9nlk
U4VBWBrcWRwwQBaIh7BW+0vg0p2Q4pNEjBFA2eAHibTk9hlexbNusyY05ehDLgWI
0EBbaj1pqCydUjK4feYNFMk975S/uPcSW3K+BliGk4fgBkPUsk9XX0zfcTm46QKK
AXmEEqlg7DO5AVUKP8bTipwJi4ZjYPEH+fA3DNbdl/OH/eBJXy5ImRxvey31DG54
Bbxabh/gOWlhSRmhT93cEKnBGi9GMUx7oNcpRqglNHd/rSsU4yfySNR4bUf1HzD4
wGK5beno2YAwGfu/INkQ
=+FHU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.