exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PubliXone 2019.045 Account Takeover / XSS / File Download

PubliXone 2019.045 Account Takeover / XSS / File Download
Posted Oct 26, 2020
Authored by Marius Schwarz | Site sec-consult.com

PubliXone version 2019.045 suffers from cross site scripting, account takeover, missing access control, hardcoded keys, and file download vulnerabilities.

tags | advisory, vulnerability, xss
advisories | CVE-2020-27179, CVE-2020-27180, CVE-2020-27181, CVE-2020-27182, CVE-2020-27183
SHA-256 | 335b0ed6593ae546e5391338f5409fe47a059f9e6c4983c15c5039a0bf3c1935

PubliXone 2019.045 Account Takeover / XSS / File Download

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20201023-0 >
=======================================================================
title: PubliXone - Multiple Vulnerabilities
product: konzept-ix publiXone
vulnerable version: 2019.045
fixed version: 2020.015
CVE number: CVE-2020-27179, CVE-2020-27183, CVE-2020-27180,
CVE-2020-27181, CVE-2020-27182
impact: critical
homepage: https://konzept-ix.com/publixone/
found: 2020-05-15
by: Marius Schwarz (Office Munich)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
Since it was founded in 1996, our company has been developing and integrating
software solutions to organize and streamline processes within print and media
prepress as well as in marketing. We have achieved an excellent market position
and established our solutions across Europe with our pioneering spirit and our
evangelism. Proof of this can be seen in hundreds of installations with countless
users. We deliver innovative, unrivalled concepts in the areas of web-to-print,
marketing management, print-/marketing-on-demand as well as file management and
synchronization. A very important part of the process for us is continuously
developing our products and precisely adapting them to our users' needs.

Source: https://konzept-ix.com/


Business recommendation:
------------------------
SEC Consult recommends to update publiXone to the latest version (2020.015).


Vulnerability overview/description:
-----------------------------------
1) Account Takeover (CVE-2020-27179)
The password reset functionality can be abused to reset the password of any
user. The token for the password-reset is encrypted and contains the user ID
and a timestamp. The password for the encryption is hardcoded in the
source-code of the Java applet. By using this key, an attacker can create
valid tokens for any user and set the set password to a chosen value.

2) Missing Access Control for API Endpoints (CVE-2020-27183)
In the source-code of the Java applet, several endpoints were identified.
The endpoints are public and don't require authentication. The components
communicate via serialized Java Objects.

Among others, the following actions are available:

- UploadFile
- DownloadFile
- GetUserData
- SendMail
- SetUserData
- CreateDir

3) Unauthenticated File Download (CVE-2020-27180)
Via the IXCopy endpoint, files can be downloaded by specifying a unique
file ID. The ID is iterative and can be enumerated. No authentication is
required to download the files, which are mostly Adobe XCopy files. This
issue is not related to the 'DownloadFile' vulnerability described in 2).

4) Hardcoded AES Keys (CVE-2020-27181)
The web application uses a Java applet for editing marketing materials. In the
decompiled source-code of the applet a hardcoded AES key has been identified.
This can be exploited to accomplish the account takeover, described in 1).

5) Reflected Cross-Site Scripting (XSS) (CVE-2020-27182)
Several reflected cross-site scripting vulnerabilities have been identified.


Proof of concept:
-----------------
[ Proof of concept has been removed ]


Vulnerable / tested versions:
-----------------------------
The vulnerabilities were identified in version 2019.045 of publiXone.


Vendor contact timeline:
------------------------
2020-08-03: Sending vulnerability details to vendor.
2020-08-18: Asking vendor for further information (no response).
2020-09-21: Sending reminder to vendor (no response).
2020-10-05: Sending another reminder to vendor (no response).
2020-10-20: Phone call with the vendor confirming the vulnerabilities are
fixed in the latest version (2020.015).
2020-10-23: Publishing advisory without the proof of concept code.


Solution:
---------
The vulnerabilities have been fixed in version 2020.015.


Workaround:
-----------
-


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Schwarz / @2020



Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close