Gibbon v14.0.01 - Frame Injection Vulnerabilities
Advisory ID: RO-18-012
Severity: Medium
Vendor: Gibbon
Product: Gibbon
Version: v14.0.01


Overview #

Frame Injection vulnerabilities exist in Gibbon v14.0.01. These vulnerabilities allow remote attackers to inject arbitrary HTML frames into the application.


Vulnerability Details #

Affected Versions: v14.0.01 and earlier

Root Cause: Insufficient input validation allows attackers to inject iframe elements.
Technical Details #

Install Page:

    URL: /gibbon-install/installer/install.php?step=2
    Parameters: databaseServer, databaseUsername (POST)
    Attack Pattern: <iframe src="http://attacker.com/"></iframe>

Frontend:

    URL: /core/index.php?q=/modules/Resources/resources_view.php
    Parameter: tag (GET)
    Attack Pattern: <iframe src="http://attacker.com/"></iframe>



Exploitation Requirements #

    No authentication required for frontend vulnerability
    Access to install page (typically restricted)

Impact #

Remote attackers can exploit these vulnerabilities to:

    Inject malicious frames into the application
    Perform clickjacking attacks
    Load external malicious content



Solution #

Update to a patched version of Gibbon.


References #

    Invicti Advisory NS-18-002

Timeline:

    [2018-01-17] - First Contact
    [2018-01-20] - Vendor Fixed
    [2018-06-28] - Advisory Released

Credits: Omar Kurt