############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: ONELAN CMS [1] # Vendor: ONELAN # CSNC ID: CSNC-2018-008 # Subject: JWT in GET Requests # Risk: Medium # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 06.02.2018 # ############################################################# Introduction: ------------- The ONELAN Content Management System (CMS) software leverages more than a decade of development and industry experience to deliver users a business tool that makes creating, publishing and managing content simple and dependable. [1] Compass Security discovered a security flaw in the ONELAN CMS, which discloses JWT (JSON Web Tokens) as HTTP GET parameters. Affected: --------- Vulnerable: * CMS V3.3.0 Build 56815 Technical Description --------------------- There exist HTTP GET requests, which include the user's JSON Web Token. Therefore, this token can be intercepted and/or cached, e.g., by proxy servers. Request: GET /channel_soc/preview/control/layout/[CUT]_files/text_style_zone _C_1001.xml.490da221fc5fb241a5fa0bf089d8a63c.channel? token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.[CUT].[CUT] HTTP/1.1 Host: [CUT] Accept: application/json, text/plain, */* Cookie: session=[CUT]; media=media; CMS_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.[CUT].[CUT] Connection: close Workaround / Fix: ----------------- This issue can be fixed by not transmitting the JWT as GET request parameter. Timeline: --------- 2018-05-29: Public disclosure 2018-05-28: Release of fixed version/patch 2018-02-12: Initial vendor response 2018-02-06: Initial vendor notification 2018-02-06: Discovery by Stephan Sekula References: ----------- [1] https://onelan.com/products/publisher-cms/