Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

TWSL2013-002: Multiple XSS Vulnerabilities in The Bug Genie

Trustwave SpiderLabs has published a new security advisory for multiple Cross-Site Scripting (XSS) vulnerabilities in The Bug Genie, an open source issue tracking and project management PHP application. The findings include both reflective and persistent XSS vulnerabilities in input parameters that can be exploited via authenticated POST requests. The Bug Genie team was contacted earlier this year regarding the security issues, and made an attempt to address them in their 3.2.5 release. Due to incomplete fixes in the 3.2.5 version, affected users are advised to upgrade to the latest stable 3.2.6 release.

Our initial security advisory was published for affected versions 3.2.4 and prior. However, a couple of weeks after the fixes were released in version 3.2.5, I revisited the application in order to confirm the fixes. I found that only two out of the five findings were correctly addressed. As a result, the remaining three findings in the 3.2.5version were still vulnerable to XSS. Multiple attempts to contact The BugGenie team regarding the following incomplete fixes were made:

  • Persistent XSS via POST request on 'description' parameter in issue reporting
  • Persistent XSS via POST request in file attachments
  • Reflective XSS via POST request on 'openid_identifier' parameter in login during pre auth

Both the 'description' and 'openid_identifier' parameters fail to sanitize user input properly. Although the 3.2.5 version of The Bug Genie applied a fix in different locations for both vulnerabilities, they failed to eliminate the issue entirely in other parts of the web application.

For example, the patch that was applied to fix the 'openid_identifier' issue sanitizes the error message "Could not validate against the OpenID provider: %message%." However, I found that the XSS vulnerability exists in a different location where the 'openid_identifier' parameter's value can be set to arbitrary JavaScript and cause the application to throw the error exception "Could not connect to $url," where $url is not sanitized. As such, the output would be "Could not connect to http://<script>prompt(1)</script>", resulting in XSS.

Therefore, I developed two patches that addressed both issues. As of this post, the supplied patches that I submitted to The Bug Genie team to help address the incomplete fixes for both vulnerabilities have been merged into their codebase. Affected users who previously upgraded to version 3.2.5 should now upgrade to the latest 3.2.6release, which contains both of my fixes.

Here are the changes that I provided:

Download: Fixopenid_identifier XSS Vulnerability

Openid_xss
Download: Fix timeline Issues XSS Vulnerability

Timeline_xss

As a final note, the persistent XSS vulnerability that exists in the way that the application renders its content remains unfixed in the latest 3.2.6 version as well. However, the file uploading functionality in The Bug Genie is disabled by default.

Additionally, cross-site scripting vulnerabilities, such as those reported in The Bug Genie, can be mitigated by using a web application firewall (WAF), such as ModSecurity and Web Defend.

 

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More