Home Tools Exploits & CVE's HAWKI 1.0.0-beta.1 XSS / File Overwrite / Session Fixation

HAWKI 1.0.0-beta.1 XSS / File Overwrite / Session Fixation

May 31, 2024

Authored by Thorger Jansen, Florian Stuhlmann | Site sec-consult.com

HAWKI version 1.0.0-beta.1 before commit 146967f suffers from cross site scripting, arbitrary file overwrite, and session fixation vulnerabilities.

advisories | CVE-2024-25975, CVE-2024-25976, CVE-2024-25977

Change Mirror Download

  SEC Consult Vulnerability Lab Security Advisory < 20240527-0 >
=======================================================================
               title: Multiple vulnerabilities
             product: HAWKI (Interaction Design Team at the University of Applied
                      Sciences and Arts in Hildesheim/Germany)
  vulnerable version: 1.0.0-beta.1, versions before commit 146967f
       fixed version: Github commit 146967f
          CVE number: CVE-2024-25975, CVE-2024-25976, CVE-2024-25977
              impact: high
            homepage: https://github.com/HAWK-Digital-Environments/HAWKI
               found: 2024-03-05
                  by: Florian Stuhlmann (Office Bochum)
                      Thorger Jansen (Office Bochum)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"HAWKI is a didactic interface for universities based on the OpenAI API.
It is not necessary for users to create an account, the university ID
is sufficient for login - no user-related data is stored."

Source: https://github.com/HAWK-Digital-Environments/HAWKI


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Arbitrary File Overwrite (CVE-2024-25975)
The application implements an up- and downvote function which alters a
value within a JSON file. The POST parameters are not filtered properly
and therefore an arbitrary file can be overwritten. The file can be
controlled by an authenticated attacker, the content cannot be controlled.
It is possible to overwrite all files for which the webserver has write access.
It is required to supply a relative path (path traversal).

2) Reflected Cross-Site-Scripting (CVE-2024-25976)
When LDAP authentication is activated in the configuration it is possible
to obtain reflected XSS execution by creating a custom URL that the
victim only needs to open in order to execute arbitrary JavaScript code in
the victim's browser.

3) Session Fixation (CVE-2024-25977)
The application does not change the session token when using the login or
logout functionality. An attacker can set a session token in the victim's
browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect
to the login page). This results in the victim's account being taken over.


Proof of concept:
-----------------
1) Arbitrary File Overwrite (CVE-2024-25975)
The following POST request can overwrite the file "AvatarFinanzen.png". This
file is a default file located within the "img" folder.

---
POST /downvote.php HTTP/2
Host: $host
Cookie: PHPSESSID=<Session Id>
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

../img/AvatarFinanzen.png
---

Both upvote.php and downvote.php are vulnerable. The vulnerable part in
downvote.php is:

---
[...]
  $id = file_get_contents("php://input");
  $sanitizedId = htmlspecialchars($id, ENT_QUOTES, 'UTF-8');
  $file = "feedback/" . $sanitizedId;
[...]
  file_put_contents("feedback/$sanitizedId", json_encode($json));
[...]
---


2) Reflected Cross-Site-Scripting (XSS) (CVE-2024-25976)
A call to the following URL will trigger an alertbox:

---
https://$host/HAWKI/login.php/"><script>alert(document.cookie)</script>
---

This is due to a fault in the file login.php where the content of
"$_SERVER['PHP_SELF']" is reflected into the HTML of the website. Hence
the attacker does not need a valid account in order to exploit this issue
The following code is vulnerable:

---
[...]
  $server = $_SERVER['PHP_SELF'];
[...]
  echo '<form action = "' . $server . '" class="column" method = "post" >
[...]
---

The vulnerability is exploitable with the Apache2 default configuration.
For other webservers, the vulnerability might not be exploitable.


3) Session Fixation (CVE-2024-25977)
The attacker changes the value of PHPSESSID within the victim's browser to
something like "abc". An attacker with the same value for PHPSESSID is now
authenticated as well after the victim uses successfully logs in.


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 1.0.0-beta.1


Vendor contact timeline:
------------------------
2024-03-21: Contacting vendor through email referenced on Github
2024-03-22: Asking about email encryption, sending report unencrypted
             as requested.
2024-04-17: Asked the vendor again to receive details regarding the timeline.
2024-04-18: Vendor provides a patch pushed to the public repository.
2024-05: Fix verification phase.
2024-05-27: Release of security advisory.


Solution:
---------
The vendor provides a patch which can be downloaded from
https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Florian Stuhlmann & Thorger Jansen / @2024

HAWKI 1.0.0-beta.1 XSS / File Overwrite / Session Fixation

Follow us on Instagram @thecyberpost

EDITOR PICKS

Texas judge upholds hospitals’ right to use online tracking technology

SPA-CART CMS 1.9.0.6 Username Enumeration / Business Logic Flaw

Backdoor.Win32.Plugx MVID-2024-0686 Insecure Permissions

POPULAR POSTS

Oracle Database Password Hash Unauthorized Access

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

POPULAR CATEGORY

Canon PIXMA TR4550 1.020 / 1.080 Unencrypted Secret Storage

AppleAVD deallocateKernelMemoryInternal Missing Surface Lock

PHPJ Callback Widget 1.0 Cross Site Scripting