exploit the possibilities

perfact::mpa Reflected Cross Site Scripting

perfact::mpa Reflected Cross Site Scripting
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund

SySS GmbH found out that the request new user and translation functionalities of the web application perfact::mpa are prone to reflected cross-site scripting attacks.

tags | exploit, web, xss
MD5 | 90e4d95861b1c3c40a936470c24a1c83

perfact::mpa Reflected Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-070
Product: perfact::mpa
Manufacturer: PerFact Innovation GmbH & Co. KG
Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2
Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2015-12-18
Solution Date: 2016-01-18
Public Disclosure: 2016-02-29
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software solution perfact::mpa is a software architecture that, for
instance, is used to build web applications for the secure and reliable
remote maintenance of machines via the Internet (see [1]).

According to the manufacturer, remote control software built with
perfact::mpa impresses through the following features:

* location-independent and central monitoring,
* maintenance and error management,
* authorized remote access, and
* integrated documentation of incidents and services.

Due to improper input validation, the web application perfact::mpa is
vulnerable to reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the request new user and translation
functionalities of the web application perfact::mpa are prone to reflected
cross-site scripting attacks.

This cross-site scripting vulnerability allows an attacker to send a
manipulated link to his victim in order to execute arbitrary JavaScript
code in the context of his victim's web browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1) NewAppUserReq (request new user functionality)

The following URL is an example of an attack vector exploiting a
reflected cross-site scripting vulnerability via the parameter
"no_user_name" of the request new user functionality:

https://<HOST>/<PATH>/MPA2/MPA2/Open/NewAppUserReq/index_html?no_user=1
&no_user_name=<script>alert("SySS XSS!")</script>


2) i18n_wrapper_call (translation functionality)

The following URL is an example for an attack vector exploiting a
reflected cross-site scripting vulnerability via the parameter
"content" of the translation functionality (i18n_wrapper_call):

https://<HOST>/<PATH>/i18n_wrapper_call
?content=%3Cscript%3Ealert%28%22SySS%20XSS!%22%29%3C/script%3E

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the PerFact Innovation GmbH & Co. KG, the
described security issue has been fixed in PerFact DB_Utils (toolkit)
software version 3.2.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-18: Vulnerability reported to manufacturer
2016-01-18: Response from manufacturer with detailed information about
the reported security vulnerability and its solution status
2016-02-05: E-mail to manufacturer according two open questions
2016-02-05: Response from manufacturer with further information
2016-02-29: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for perfact::mpa
http://perfact.de/mpa/index_html
[2] SySS Security Advisory SYSS-2015-070
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-070.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg and Sven Freund
of the SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW0/AIAAoJENmkv2o0rU2ri/gP/1YJoIZoLGropW6R8kxpz0l0
GB8oM+PXC2KEI101suBNI5ezLvPuonAFjobq0w5ChfEj7EEfsiAVUZ5Ftdk2mgqG
UvrpMXm3UU5nxXjniqxK/23BgH0yazQv/c1Fp+gqGwp7UIFazt2x6eLGowcbJ3Df
4ePJmm6MFOlvoh457ePmZ81QwZFgHgrwVnr3Hhk4myblxZvXdJRnK+rRYuiPq4Ga
4wxoU3L2OjvDunFAKKUhCWk5+cAC+U/uwELH7rYko5M9eoz6FGBoXZBGamsQlyRh
ACoL6GJCkfMykwvDJEQ2hZywFnuW43uIlasndmNKDP1p3I7UHcFNTf9ogx33+RVr
9WsvCk0wZaOTvP95wHle2WJx2jrcbetG3m2CPVkVAOZEYaoXGVzqmjK/SabsIooV
EfcMjJUCRyiyytyAbjR4MzjpTkQ7CqR4ylzPFY7tIjZmA1aAg/1Ocv8KY7W5Fv//
D8PZtZj25+lWmaSwuVneV9n+gR43oIAc42//Xb4pcbF77hYd6aS3616KEsJ69ea/
P2wvOcqN1KxfvyBPc1DcSj01/IsHlqgdQiZQqh8eHNGxZBW5HTUeUcJ/xD4Undxn
ZE5CH23m/5RIwXVb2TL2jzmTaV8LcESxOVidIaKA6ux3gNpRLs+ZdDBX6UXH4l3P
leR6vzI/DeTs2+gbilYm
=5GI9
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close