lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 04 Aug 2021 11:01:00 +0000
From: merion44 via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Connect-app (CDU) Version: 3.8 - Cross Site Scripting

app: connect-app (cdu) (version: 3.8)

cross-site scripting in the registration form name variables. Remote attackers can inject js payloads as name variables to exploit the frontend in the profile view and potentially execute in the backend via the preview. Uncertainty in validating object names in outbound emails, causing the context to be validated insecurely. This allows reflected execution in the message body of the email where the name variable is visible. You can see in the main validation how the developers have tried to parse and encode the content with backslashes and other characters. In this way, the type of validation can easily be bypassed by using simple frames with a source that points to a external link. We have tested this in the portal where the code is executed, we have tested it in the outgoing service emails that insert the name variably in the email body, and we have also tested the stored content that was submitted via the API. All contents was transmitted insecurely and can be manipulated to trigg
 er simple cross-site scripting payloads, hijack user session credentials or manipulate outbound emails with reflected malicious content on the application side.

We decided to bring the issue directly to the public after the CDU opened a court case to criminalise a German hacker following a Whitehat report. Normally we wanted to report the vulnerabilities directly via Responsible Disclosure, but were deterred by incidents mentioned above. These did not stop us but we therefore chose another way to make noise.

ref: https://www.golem.de/news/connect-app-cdu-verklagt-offenbar-hackerin-nach-melden-von-luecken-2108-158647.html

ref: https://www.golem.de/news/connect-app-cdu-nimmt-wahlkampf-app-nach-datenleck-offline-2105-156471.html

greetz to cdu
by team smackback

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists