what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

sysPass Cross Site Scripting

sysPass Cross Site Scripting
Posted Dec 8, 2015
Authored by Daniele Salaris | Site syss.de

sysPass versions and below suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | fccd3f6bd7b3f2d36da082f59aaa70d871cc6f8aa84ce409fb7f5e31656b9346

sysPass Cross Site Scripting

Change Mirror Download
Hash: SHA512

Advisory ID: SYSS-2015-047
Product: sysPass
Vendor: http://cygnux.org/
Affected Version(s): and below
Tested Version(s):
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-07-14
Solution Date: 2015-10-26
Public Disclosure: 2015-12-07
CVE Reference: Not yet assigned
Author of Advisory: Daniele Salaris (SySS GmbH)



sysPass is an web based Password Manager written in PHP and Ajax with a
built-in multiuser environment.

The functionality "Account Details" is prone to a reflected cross-site
scripting vulnerability.

The software manufacturer describes the web application as follows
(see [1]):

"sysPass is a web password manager written in PHP that allows the
password management in a centralized way and in a multiuser environment.
The main features are:

* HTML5 and Ajax based interface
* Password encryption with AES-256 CBC.
* Users and groups management.
* Advanced profiles management with 16 access levels.
* MySQL, OpenLDAP and Active Directory authentication.
* Activity alerts by email.
* Accounts change history.
* Accounts files management.
* Inline image preview.
* Multilanguage.
* Links to external Wiki.
* Portable backup.
* Action tracking and event log.
* One-step install process."


Vulnerability Details:

The PHP script ajax_getContent.php of the web application functionality
"Account Details" is vulnerable to reflected cross-site scripting
via the parameter "lastAction".

The web application sysPass inserts the injected code into the "back"
button of the result web page where it can be triggered.

This reflected cross-site scripting vulnerability can be exploited in
the context of an authenticated user by sending a specially crafted HTTP
POST request (see PoC section).


Proof of Concept (PoC):

The following HTTP POST request using the JavaScript code "'-alert(1)-'"
as the value for the parameter "lastAction" demonstrates the reflected
cross-site scripting vulnerability by showing a JavaScript alert box
after the "back" button was clicked:

POST /sysPass/ajax/ajax_getContent.php HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/sysPass/index.php
Content-Length: 74
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


The server answers as follows:

HTTP/1.1 200 OK
<img src="imgs/back.png" title="Back" class="inputImg" id="btnBack"
OnClick="doAction('accsearch'-alert(1)-'', 'accview',1)"/>



The reported security vulnerability has been fixed in a new software
release. Update to the new software version.


Disclosure Timeline:

2015-07-14: Vulnerability discovered
2015-07-14: Vulnerability reported to vendor
2015-10-26: Release of new software version that addresses the reported
security issue.
2015-12-07: Public release of security advisory



[1] Web site of sysPass - sysadmin password manager
[2] SySS Security Advisory SYSS-2015-047
[3] SySS Responsible Disclosure Policy



This security vulnerability was found by Daniele Salaris of the SySS GmbH.

E-Mail: disclosure (at) syss.de
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4



The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web



Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By