mailing list archives
One Click Orgs 1.4.1 Multiple Vulnerabilities
From: Darren McDonald <athena () dmcdonald net>
Date: Wed, 23 Nov 2011 23:12:53 +0000
One Click Orgs, Multiple Vulnerabilities
Version 1.0, 2011-11-19
“One Click Orgs allows users to set up a simple, effect legal
structure and voting system which can help groups open a bank account,
hold property, and keep the whole team involved in day to day
After I posted a message on London Hackspace offering a security
assessment for a community project, One Click Orgs responded and set
up a instance of their software to allow me to test it. This was back
in August 2011. OneClickOrgs has now corrected these issues, and they
have updated their production instance at www.oneclickorgs.com.
Version 1.2.1 was tested, users should upgrade to version 1.2.3 to
correct the listed vulnerabilities.
Finding 1 – Stored Cross Site Scripting
The application does not correctly encode the description field of a
screens. The following string can be used as a proof of concept.
<img src=”xyz” onerror=”alert(1)” />
Similar to instance one, the description field in the eject member
proposal functionality is also vulnerable to stored cross site
Finding 2 – Open URL Redirection
The application accepts any value in the ‘return_to’ field and
redirects the user using a 302 to the specified value. This could be
used to construct URLs which would contain a valid one click orgs
instance, yet redirect the user to another site.
PoC URL: http://testorg.oneclickorgs.com/votes/vote_for/8?return_to=http://dmcdonald.net
Finding 3 – Email Address is Not Unique
One Click Orgs allows user to amend their email address to that of
another org member. If the user modifying their email address joined
the org before the target user, this can prevent the user from logging
in. This could also be used to masquerade as another user apparently
submitting votes and comments on behalf of another user. However,
votes cast would be tied to the userid of the attacking user and this
would not allow additional votes.
When a user modifies their email address
When a user is created through a proposed member vote or when they are
added as an initial founder.
Finding 4 – 2nd Order SMTP Injection
One Click Orgs is vulnerable to SMTP Injection. This could be used to
send SPAM email messages or exploit any potential vulnerabilities in
the SMTP server.
Setting the org name to contain double quote marks and newlines allows
an attacker to escape the From descriptor when emails are sent to new
Users can modify their email addresses to include double quotes which
causes similar issues.
One Click Orgs also corrected three other minor issues to improve the
security of the application. These issues were a further low risk
instance of URL redirection (only exploitable by the inital founding
member or an amazingly timed CSRF), autocomplete enabled on login
forms, and username discovery through differing login error message.
 One Click Orgs Website, http://www.oneclickorgs.com, Accessed 2011-11-19
http://dmcdonald.net/?page_id=43 – The latest version of this advisory
http://www.oneclickorgs.com – The One Click Orgs Website
aka Darren McDonald
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- One Click Orgs 1.4.1 Multiple Vulnerabilities Darren McDonald (Nov 23)