'[FD] SEC Consult SA-20230925-0 :: Stored Cross-Site Scripting in mb Support broker management soluti'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] SEC Consult SA-20230925-0 :: Stored Cross-Site Scripting in mb Support broker management soluti
From:       "SEC Consult Vulnerability Lab, Research via Fulldisclosure" <fulldisclosure () sec
Date:       2023-09-27 8:38:20
Message-ID: f057dbdb-2c86-4b5f-9db7-f739faa36227 () sec-consult ! com
[Download RAW message or body]

SEC Consult Vulnerability Lab Security Advisory < 20230925-0 >
=======================================================================
               title: Stored Cross-Site Scripting
             product: mb Support broker management solution openVIVA c2
  vulnerable version: <20220801
       fixed version: =>20220801
          CVE number: CVE-2022-39172
              impact: Medium
            homepage: https://mbsupport.de
               found: 2022-03-16
                  by: Daniel Hirschberger (Office Bochum)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Support small and medium-sized companies as well as large corporate customers
with just one software. Sales , inventory management , billing , e-mail and
much more - with openVIVA c2 you get everything in one application. Without
system disruption and in one database, you can do all the work of an insurance
broker with one piece of software.

Connect brokers, intermediaries, insurers and customers directly with our
self-service portals . Strengthen your customer relationships and work more
efficiently yourself.

mb Support offers portals for intermediaries as well as industrial and
commercial customers and tailor-made portal solutions for insurers, brokers and
private customers."

Source: https://mbsupport.de/

Business recommendation:
------------------------
The vendor provides an updated version to their customers.

An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:
-----------------------------------
1) Stored Cross-Site Scripting (CVE-2022-39172)
An authenticated attacker with privileges of the role 'user' can create a new
'Vorgang' (Process). The field 'Name' is not sanitized and enables an attacker
to perform a stored XSS attack. Additionally, the field 'Hauptverantwortlicher'
(persons mainly responsible) can be used to assign this 'Vorgang' to another user
who will receive it in his overview list. This results in a targeted stored
XSS attack.

Proof of concept:
-----------------
1) Stored Cross-Site Scripting (CVE-2022-39172)
The application is developed on top of Oracle Apex
(https://apex.oracle.com/en/) which provides several security features to
developers. Two of those are request replay protection and parameter
checksumming which make it hard to develop a PoC which only consists of
requests and responses. Therefore this PoC will be a textual description of the
required steps and supplemented with pictures. Additionally the library
'AlertifyJS' is used, which changes the appearance of alert popups which
can be confusing if you are used to the standard alert popups.

To execute the attack the following steps have to be performed:
1. Log in to openVIVA c2
2. Go to 'mein openVIVA' (my openVIVA)
3. Click on 'Vorgangszuordnung' (Process Assignment)
4. Click on 'Neuen Vorgang starten' (Start new Process)
5. In the new form enter the XSS payload into the 'Name' field, for example
    "<script>alert('XSS')</script>"
6. Choose your victim as 'Hauptverantwortlicher' (persons mainly responsible)
7. Click on the three dots
8. Click on 'Speichern' (save)

The victim now has a new 'Vorgang' in his inbox. If the 'Vorgänge' menu is clicked,
the victim is redirected to the list of assigned 'Vorgänge'. Because our payload
is in the name field it is executed as soon as the list of processes is loaded.

Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
* openVIVA c2 20220101

Vendor contact timeline:
------------------------
2022-03-30: Contacting vendor through email followed by a telephone call,
             sent the advisory
2022-04-20: Asking for status update
2022-04-22: Patch release is planned for August
2022-07-26: Statuscall: Patch exists, advisory release delayed until
             rollout to all customers is complete (~ August 2023(!))
2023-09-18: Asking for a status update and patch download information.
             Vendor response: no public link available; few customers
             still have no patch.
2023-09-25: Release of security advisory

Solution:
---------
Upgrade to version 2022-08-01 or later. The vendor has no public
download link available as all customers will be patched according
to their maintenance contract.

Workaround:
-----------
None

Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult? Send us your application
https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2023
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 