Vulnerability reported in resident.uidai.gov.in allows anyone to change content on the UIDAI website. The UIDAI Resident Portal has direct access to Aadhaar demographic data. The vulnerability (XSS) allows anyone to embed any tweet on the UIDAI website
The UIDAI Resident Portal (with read access to entire Aadhaar Demographic data) is runing a vulnerable version of LifeRay software. It is running LifeRay 6.1, which was declared End-of-Life in Febrary 2016.
This release includes multiple known vulnerabilities, including:
- A XSS issue, for which a PoC can be found at resident.uidai.gov.in (Picture Credits: @sanitarypanels)
- Multiple RCEs: See issue-62 for eg.
You can find a simple Proof of Concept for the XSS issue at resident.uidai.gov.in.
$CDN_HOST/Resident-theme/js/custom.js, in this case
https://scan.bb8.fun/Resident-theme/js/custom.js which hosts a small snippet to overwrite the HTML of the page.
It shows up like:
The current script allows for embeding any tweet using a
tweet parameter. To embed:
Go to any tweet, copy the part after
twitter.com and pass it as the
tweetparameter. For eg, to embed this tweet:
- Look at the URL:
13footwall/status/979301578686345216and pass it as the
- The URL becomes
- SHARE IT
I initially reported this to
firstname.lastname@example.org in Jan 2017:
Forgot all about it till Jan 2018, when someone mentioned I should try my luck with CERT-IN instead:
This is still not fixed. Here is a complete timeline:
|16 Jan 2017||Initially reported to |
|21 Jan 2018||Reported to |
|19 Feb 2018||Reminder sent to |
|19 Feb 2018||Acknowledgement from CERT|
|15 Mar 2018||Reminder sent. No response|
|17 Mar 2018||Notified NCIIPC|
|18 Mar 2018||Confirmation from NCIIPC asking for more details. I replied back with a quote of previous exchange|
|19 Mar 2018||Confirmation from NCIIPC thanking me for the report.|
|19 Apr 2018||Reminder sent to UIDAI asking for acknowledgement|
|30 May 2018||Reminder sent to NCIIPC and CERT asking for updates|
The only change that I’m aware of since my initial report is that the website stopped declaring the LifeRay version in a HTTP response Header.
Originally published here.