Snapforce CRM 8.3.0 Cross Site Scripting

2019.08.23
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Hello Team, Greetings. there is list of xss vulnerabilities and Concurrent login vulnerabilities are in snapforce <https://crm.snapforce.com/prodigy/login.php?timeout> (version 8.3.0) application. *Vulnerability List: * 1. Stored Cross Site Scripting 2. Stored Cross Site Scripting thorough UI Redirection. 3 Concurrent Login are Allowed *Effected URL: * https://crm.snapforce.com/prodigy/login.php *Steps to reproduce:* 1.Login to application using https://crm.snapforce.com/prodigy/login.php 2. Goto the Accounts creation location and create new Account. 3. Fill all required parameters and insert XSS payload in description location and save it. 4. once you saved the xss payload in description location cross site scripting payload can execute. 5. application can redirect to attacker application my case i have redirected to google.com page 6. for more information please see attached file *Payloads:* ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> <script>document.location='https://google.com'</script> *Mitigation:* https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.owasp.org_index.php_XSS-5F-28Cross-5FSite-5FScripting-29-5FPrevention-5FCheat-5FSheet&d=DwMFaQ&c=0DdzT34RfO2GGahVO5PumQ&r=8BdtPm_N-eOWc3EZEL8jVSXu4k5FAchn6mFgL-Knnhk&m=vCgg57fKEnLqhRpyRjhiXZxSZ258jYrO_CX_VtudPYo&s=zSunO4Eh5lUFVUfM2fblWQ2XLe-woCC3pG3gz4_fb10&e=> • Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){ final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ) { if (character == '<') result.append("&lt;"); else if (character == '>') result.append("&gt;"); else if (character == '\"') result.append("&quot;"); else if (character == '\'') result.append("&#039;"); else if (character == '\\') result.append("&#092;"); else if (character == '&') result.append("&amp;"); else { //the char is not a special one //add it to the result as is result.append(character); } character = iterator.next(); } return result.toString(); } • Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); • Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) { strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,""); return strTemp; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top