Page MenuHomeVulnz

XSS vulnerability in ub.edu
VerifiedPublic

Description

Abstract

Arbitrary Javascript code can be injected into the http://www.ub.edu/noticies/cgi/event.pl?id={id}&noticiaub={noticia}, [...]/cerca.pl?noticiaub={noticia} and [...]/cercar.pl?noticiaub={noticia} pages via the common noticiaub parameter.

Reproduction steps

  1. Visit http://www.ub.edu/noticies/cgi/event.pl?id=131212&noticiaub=%27%3E%3Cimg%20onerror=%22alert(document.domain)%22%20src=%22random%22%3E%3Cspan, http://www.ub.edu/noticies/cgi/cerca.pl?noticiaub=%27%3E%3Cimg%20onerror=%22alert(document.domain)%22%20src=%22random%22%3E%3Cspan, or http://www.ub.edu/noticies/cgi/cercar.pl?noticiaub=%27%3E%3Cimg%20onerror=%22alert(document.domain)%22%20src=%22random%22%3E%3Cspan.
  2. The Javascript code alert(document.domain) will be executed 3 times.

What should be done?

Sanitize the noticiaub parameter before being rewritten to the HTML structure.

Attack scenario

An attacker could form a URL with a Javascript script which, when opened by another UB member, would send the current session cookies to the attacker (for instance the sensitive UBSess cookie in ub.edu which can be accessed via HTTP).


This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Vendor
Universitat de Barcelona
Product
ub.edu
Reported
Nov 27 2019, 11:44 PM
Deadline
90

Event Timeline

avm99963 triaged this task as Priority-1 priority.Nov 27 2019, 11:46 PM
avm99963 created this task.
avm99963 changed the task status from New to Started.EditedJan 19 2020, 5:03 PM

Changing its status to "started", because SAE (Servei d'Atenció a l'Estudiant) told me on Jan 16, 2020:

estan treballant [en la vulnerabilitat] però s'han trobat amb problemes colaterals que estan intentant resoldre

avm99963 closed this task as Verified.Feb 23 2020, 7:30 PM

On Feb 21, 2020, SAE confirmed that the vulnerability was fixed. From my end it also seems like it is fixed, so I'll be changing its status to verified and will publish it.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Feb 23 2020, 7:30 PM