exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

perfact::mpa Persistent Cross Site Scripting

perfact::mpa Persistent Cross Site Scripting
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that different functions of the web application perfact::mpa are prone to persistent cross-site scripting attacks due to insufficient user input validation.

tags | exploit, web, xss
SHA-256 | 3de9ebd0a6d7d71bc98db0dbfca47d2036e6cb55c8c5730f0710bc34b796c3d7

perfact::mpa Persistent Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-066
Product: perfact::mpa
Manufacturer: PerFact Innovation GmbH & Co. KG
Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2
Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-12-18
Solution Date: 2016-01-18
Public Disclosure: 2016-02-29
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software solution perfact::mpa is a software architecture that, for
instance, is used to build web applications for the secure and reliable
remote maintenance of machines via the Internet (see [1]).

According to the manufacturer, remote control software built with
perfact::mpa impresses through the following features:

* location-independent and central monitoring,
* maintenance and error management,
* authorized remote access, and
* integrated documentation of incidents and services.

Due to improper input validation, the web application perfact::mpa is
vulnerable to persistent cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that different functions of the web application
perfact::mpa are prone to persistent cross-site scripting attacks due to
insufficient user input validation.

This kind of attack enables an attacker to persistently store attack
vectors in form of arbitrary code, for instance JavaScript code, in the
web application database, which may be executed in the context of other
users.

1) Persistent Cross-Site Scripting via uploaded HTML files

The SySS GmbH also found out that the file upload functionality for
file attachments to remote sessions allows the upload of HTML documents
containing JavaScript code which enables an attacker to perform
persistent cross-site scripting attacks.


2) Persistent Cross-Site Scripting via export report functionality

Further examples for persistent cross-site scripting vulnerabilities
were identified in the export report functionality (stored report) of
many views providing this option that could be exploited via different
parameters.

According to test results of the SySS GmbH, all report views generated
by the export report functionality are prone to persistent cross-site
scripting attacks, if an attacker can control any of the displayed
information, for example a description parameter.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1) Persistent Cross-Site Scripting via uploaded HTML files

An authenticated user can upload an HTML file containing arbitrary
JavaScript code as an attachment to a remote session.

If this attached file is opened by another user within the perfact::mpa
web application, the attacker-controlled JavaScript is executed in the
context of the victim.


2) Persistent Cross-Site Scripting via export report functionality

If an attacker can control any of the displayed information of a stored
report, she or he is able to execute JavaScript code in the context of
other users that are viewing this report.

For example, the following simple attack vector can be used as user
description value of a user account:

Test<script>alert(1)</script>


The following output is an excerpt of the resulting HTML source code of
the stored report generated by the export report functionality
containing the injected JavaScript code:

(...)
<td class="export_as_text">Test<script>alert(1)</script></td>
(...)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the PerFact Innovation GmbH & Co. KG, the
described security issue has been fixed in PerFact DB_Utils (toolkit)
software version 3.2.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-18: Vulnerability reported to manufacturer
2016-01-18: Response from manufacturer with detailed information about
the reported security vulnerability and its solution status
2016-02-05: E-mail to manufacturer according two open questions
2016-02-05: Response from manufacturer with further information
2016-02-29: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for perfact::mpa
http://perfact.de/mpa/index_html
[2] SySS Security Advisory SYSS-2015-066
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-066.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg and Sven Freund
of the SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW0+/3AAoJENmkv2o0rU2r8noQAJ4ZCybGIXu8JHN1yOYuPxX2
NWCFWqtwjm3E8iAP2jHaB63ps0HBFKzYXiRWAB6/Uk8hBnorwjQjkRQCY/evyjLH
HVk5Tvukr5bZqHnkUGLwed3Xz/jnVZlaeb/OMU7fQASDS06v/LxILkqIvBp577GM
lV6NKWHZgMz57ObADtJY6ffIJCNKYf+uPbECdMkpACsWKn2Kbh6l8xNARULh6yu3
AIIj8MJmJrYrph0V1tnyDXUtV++iFfO4YdqwI0WLPvEbmjOUEVbGtkzSdEgTfl9X
rN4Zmh9mcvdyhOMO0S+0w+4YgqXwmX6oqucMlAAQWc/8Wh95GP2oIuW6mjAKylIo
hNCFSmpctvXAbWINJLbC0rerCS8t+iEOkWZmkEyW6AIboEamwcebZ9N9/IFOYQcZ
tOhLdNqW5ltxpfKrbvFxAokh7Rvl1Up2gBNJWyDVHcYU+nQiecieHLiS1IGNoq5T
BTWcxw2KZRal750KKlMGM3kso3p9S0X/PIk7uDmPesdddOyAi+qTzMn6IZVh6tX3
FTSNrlIHrQu5t3cOsQ9Gq6R5KjbHA+1jqq2X5SvCkKDuDX2HfSit7wi4lr0LEKeD
X7+m4dYxFSZ1K5quegV1Dqt4dMKURsrvnzabBDNwQc2pnepdNaxTG2ZZP/q1H2GT
pnWUhWJloSq3AungqknK
=FHIW
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close