perfact::mpa Open Redirect

2016.03.02
Credit: Matthias Deeg and Sven Freund
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-601

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-073 Product(s): perfact::mpa Manufacturer: PerFact Innovation GmbH & Co. KG Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 Vulnerability Type: URL Redirection to Untrusted Site (CWE-601) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2015-12-18 Solution Date: 2016-01-18 Public Disclosure: 2016-02-29 CVE Reference: Not yet assigned Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software solution perfact::mpa is a software architecture that, for instance, is used to build web applications for the secure and reliable remote maintenance of machines via the Internet (see [1]). According to the manufacturer, remote control software built with perfact::mpa impresses through the following features: * location-independent and central monitoring, * maintenance and error management, * authorized remote access, and * integrated documentation of incidents and services. The web application perfact::mpa uses attacker-controlled input to redirect a user to another site (open redirect). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found out that the web application perfact:mpa accepts user-controlled input via the URL parameter "redir" that can be used to redirect victims to an arbitrary site which simplifies so-called phishing attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following URL redirects a user to the web site of the SySS GmbH: https://<HOST>/<PATH>/MPA2/i18n_lang_id?lang_id=1&redir=https://www.syss.de ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by the PerFact Innovation GmbH & Co. KG, the described security issue has been fixed in PerFact DB_Utils (toolkit) software version 3.2. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-12-18: Vulnerability reported to manufacturer 2016-01-18: Response from manufacturer with detailed information about the reported security vulnerability and its solution status 2016-02-05: E-mail to manufacturer according two open questions 2016-02-05: Response from manufacturer with further information 2016-02-29: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for perfact::mpa http://perfact.de/mpa/index_html [2] SySS Security Advisory SYSS-2015-073 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-073.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg and Sven Freund of the SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB E-Mail: sven.freund (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJW0/AUAAoJENmkv2o0rU2rDrIP/j3TIOlTm5kG+NYvD0VIfMy6 qwkMjJv9zqRBtm3Xd2rMs25N9NQqg5/YhTsrs0nkGsSbX+Iy8TrkGRm6dOgUlS/F u3ZQmGq2jUXmlGkmfkSg7HNn7Cv3mBhTjmt2v1DxngL7fo71oph0e3vhsDI/TEx3 wcTZrjcz7ovOxS1GQpm1Q89FCphxpUy+Di0RDIbKVe77zhpWSBllq132cGNrFhIS yWmQlCtiUCMggca73p6L3Bzs1RztpyN2ixnR27KqOi+M6NfnBWmCiUoTdfjekOrF levCy0ZMvRbZo3bwKz+wBgxaB71fd2j7SbUX/GWTAbX9mpghytwV/CpjIzgdoSmJ i+IWTKyZ/3+2i8kx6ykvb/syr8Qfjpcjp+fETzPkZuN2c2A8j/amdfXFdMOCmgDe ajnYC7BkTHAY1vH5XqPnV9ngZZF3BRRDfi9DmbmGbDJTM3yXjCNaHPnHbHMATdxw NZqLydKWEmH+in5U8V5dgzYtnJEMxqFLEsmRky6I/mze/qTfXl3DEdRP7oOEhkMF wnu+JPFJD7SDV0qkFvxM8Glo5DKXPIMPColZDYBi7OeOpBK0RA7F19xRCFmmcuP9 J2SKf8N+VKTXYnxbUdcW6VwJ2hM0/b/+LLfc4EaAFD8EN46Ls2uXhgyeQjZzN/TA idv5YOP60cFc3xB2FWuV =5w5A -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top