TWSL2013-002: Multiple XSS Vulnerabilities in The Bug Genie

Trustwave SpiderLabs has published a newsecurity advisory for multiple Cross-Site Scripting (XSS) vulnerabilities inThe Bug Genie, an open source issue tracking and project management PHPapplication. The findings include both reflective and persistent XSSvulnerabilities in input parameters that can be exploited via authenticatedPOST requests. The Bug Genie team was contacted earlier this year regarding thesecurity issues, and made an attempt to address them in their 3.2.5 release.Due to incomplete fixes in the 3.2.5 version, affected users are advised toupgrade to the latest stable 3.2.6 release.

Our initial security advisory was publishedfor affected versions 3.2.4 and prior. However, a couple of weeks after thefixes were released in version 3.2.5, I revisited the application in order toconfirm the fixes. I found that only two out of the five findings werecorrectly addressed. As a result, the remaining three findings in the 3.2.5version were still vulnerable to XSS. Multiple attempts to contact The BugGenie team regarding the following incomplete fixes were made:

  • Persistent XSS viaPOST request on 'description' parameter in issue reporting
  • Persistent XSS viaPOST request in file attachments
  • Reflective XSS viaPOST request on 'openid_identifier' parameter in login during preauth

Both the 'description' and 'openid_identifier'parameters fail to sanitize user input properly. Although the 3.2.5 version ofThe Bug Genie applied a fix in different locations for both vulnerabilities,they failed to eliminate the issue entirely in other parts of the webapplication.

For example, the patch that was applied to fix the'openid_identifier' issue sanitizes the error message "Could not validateagainst the OpenID provider: %message%." However, I found that the XSSvulnerability exists in a different location where the 'openid_identifier' parameter'svalue can be set to arbitrary JavaScript and cause the application tothrow the error exception "Could not connect to $url," where $url is notsanitized. As such, the output would be "Could not connect to http://<script>prompt(1)</script>", resulting in XSS.

Therefore, I developed two patches thataddressed both issues. As of this post, the supplied patches that I submittedto The Bug Genie team to help address the incomplete fixes for bothvulnerabilities have been merged into their codebase. Affected users whopreviously upgraded to version 3.2.5 should now upgrade to the latest 3.2.6release, which contains both of my fixes.

Here are the changes that I provided:

Download: Fixopenid_identifier XSS Vulnerability

Openid_xss
Download: Fix timelineIssues XSS Vulnerability

Timeline_xss

As a final note, the persistent XSSvulnerability that exists in the way that the application renders its contentremains unfixed in the latest 3.2.6 version as well. However, the file uploading functionality in The Bug Genie isdisabled by default.

Additionally, cross-site scriptingvulnerabilities, such as those reported in The Bug Genie, can be mitigated byusing a web application firewall (WAF), such as ModSecurityand WebDefend.

For additional details regarding this securityadvisory, please visit: Security AdvisoryTWSL2013-002

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.