lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1WTBly-00071b-Jb@redteam-pentesting.de>
Date: Thu, 27 Mar 2014 16:01:05 +0100
From: RedTeam Pentesting GmbH <release@...team-pentesting.de>
To: fulldisclosure@...lists.org
Subject: [FD] [RT-SA-2014-002] rexx Recruitment: Cross-Site Scripting in
 User Registration

Advisory: rexx Recruitment Cross-Site Scripting in User Registration

RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability
in rexx Recruitment's user registration page during a penetration test.
If attackers can persuade users to click on a prepared link or
redirected them to such a link from an attacker-controlled website, they
are able to run arbitrary JavaScript code in the context of the rexx
Recruitment installation's domain.


Details
=======

Product: rexx Recruitment
Affected Versions: Releases prior to those fixed on 2014-01-15
Fixed Versions: R6.1 and R7 with fixes from 2014-01-15
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: http://www.rexx-systems.com
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-002
Advisory Status: published
CVE: CVE-2014-1224
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1224


Introduction
============

"rexx Recruitment supports around 3 million application processes each
year (data from 2011). This stems from experience in applicant
management: from company recruitment in small and medium-sized
enterprises and international companies, through to specialised
personnel service providers.

The rexx Recruitment software supports paper, online and email
applications. All information about and communication with the applicant
at a glance in the digital applicant file!"

(from rexx systems' homepage)


More Details
============

The rexx Recruitment software includes a user registration where job
applicants who want to stay informed about new vacancies can register.
The registration site is usually available at the path "/reg", for
example at a URL like the following:

http://www.example.com/reg

The website asks for some mandatory data like name and surname as well
as postal and email addresses. If a mandatory entry is missing when
submitting the data, the website will present the registration site
again to the user, with those input fields pre-populated with the data
that was already filled in and error messages for the missing input
fields. The pre-populated "first name" field with the name "redteam"
would for example look as follows in the HTML source code:

<input type="text" style="" id="fname" name="fname" value="redteam" title="" />

If it is now tried to embed control characters like an opening angle
bracket in the name, the system filters the input by removing everything
after the bracket.  The value "red<team" would for example be shortened
to "red".

The application also removes known event handlers from user input, so
the input

redteam" onmouseover="alert('RedTeam Pentesting')

is reduced to

redteam" "alert('RedTeam Pentesting')

However, event handler unknown to the application are not removed, so
the HTML5 event handler "oninput" is not recognized and can be used to
run JavaScript code as soon as a user starts to type in the input field:

redteam" oninput="alert('RedTeam Pentesting')

It is also possible by simply adding the even handler two times to make
the application only remove one instance of the string. The input

redteam" onfocusonfocus=="alert('RedTeam Pentesting')" autofocus="autofocus

will be changed to the desired string

redteam" onfocus="alert('RedTeam Pentesting')" autofocus="autofocus

and therefore the input field will look like this:

<input type="text" 
       style=""
       id="fname"
       name="fname"
       value="redteam"
       onfocus="alert('RedTeam Pentesting')"
       autofocus="autofocus"
       title="" />


Proof of Concept
================

The following URL adds a new "onfocus" event handler to the "fname"
input field that gets executed as soon as the website is loaded due to
the "autofocus" attribute:

http://www.example.com/reg
  ?fname=redteam"%20onfocusonfocus%3d%3d"alert('RedTeam%20Pentesting')"%20autofocus%3d"autofocus
  &continue.x=
  &continue.y=


Workaround
==========

If possible, disable user registration and disallow access to the
registration website, e.g. by blocking access in the web server.


Fix
===

Update to versions R6.1 or R7 with the fixes from 2014-01-15 included.


Security Risk
=============

The risk of this vulnerability is estimated to be high. Being able to
embed arbitrary JavaScript code allows attackers to completely
manipulate the website, add their own content and track all user
interaction.


Timeline
========

2013-12-04 Vulnerability identified
2013-12-10 Customer approved disclosure to vendor
2013-12-13 Vendor notified
2014-01-15 Vendor released fixed version
2014-02-11 CVE number requested and assigned
2014-03-27 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ