Bishop Fox Security Advisory: Multiple Security Vulnerabilities Discovered in YunoHost 2.7.2 to 2.7.14 Versions 

The following document describes identified vulnerabilities in Yunohost 2.7.2. to 2.7.14.

Product Description

YunoHost is an application that is used to manage applications hosted on a Linux server. Additionally, it allows the user to manage the entire Linux system, including installed services, firewall rules, and system updates. The application’s official website is yunohost.org. Version 2.7.2 was released on August 22, 2017, and version 2.7.14 was released on June 28, 2018.

Vulnerabilities List

Two vulnerabilities were identified within the YunoHost application:

  • Two instances of stored cross-site scripting
  • One instance of HTTP header injection

These vulnerabilities are described in the following sections.

Affected Version

Versions between 2.7.2 and 2.7.14

Solution

TBD

Stored Cross-site Scripting

The YunoHost application is affected by two cross-site scripting (XSS) vulnerabilities that are stored within the user profile. These vulnerabilities allow the execution of a JavaScript payload inside the victim’s browser.

Vulnerability Details

CVE ID: CVE-2018-11348

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 8.8

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Two XSS vulnerabilities are located in the user profile page of the user panel within the YunoHost application. By injecting a JavaScript payload in the vulnerable parameter of the profile page, an attacker can manipulate a user’s session. The weak parameters are givenname or sn.

To demonstrate the attack, the following payload can be used for each parameter:

The request below could be used to exploit the vulnerabilities:

HTTP Header Injection

The YunoHost application is affected by one HTTP header injection vulnerability. An attacker can exploit this vulnerability by manipulating one of the request parameters and injecting a malicious HTTP header in the response returned by the server This header could be used to set a cookie or overwrite HTTP header used to instruct the client browser to protect client data. Full exploitation requires the attacker to interact with the user and send them the malicious link. By combining the HTTP header injection vulnerability with the XSS vulnerability described above, an attacker could target the browser of the victim using a malicious JavaScript payload and exploit.

Vulnerability Details

CVE ID: CVE-2018-11347

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-352

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The authentication page of the YunoHost application is vulnerable to injection. The attack could be performed using the following URL:

The vulnerability can be used to force a user to log into an infected account with the XSS described in the previous section. An attacker can send the following request to perform this attack:

In the request above, malicious Set-Cookie HTTP headers are sent to the user browser, overwriting valid session cookies.

Disclosure Timeline: 

  • 9/28/2017: Initial discovery in version 2.7.2
  • 7/6/2018: Vulnerabilities discovered in version 2.7.14
  • 10/30/2018: Public disclosure of vulnerabilities 

Researcher:

Florian Nivette, Security Associate at Bishop Fox