Document Title: =============== Salesforce (Event Registration) - Persistent Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=1991 Release Date: ============= 2017-01-11 Vulnerability Laboratory ID (VL-ID): ==================================== 1991 Common Vulnerability Scoring System: ==================================== 3.8 Product & Service Introduction: =============================== Salesforce.com is an American cloud computing company headquartered in San Francisco, California. Though its revenue comes from a customer relationship management (CRM) product, Salesforce also capitalizes on commercial applications of social networking through acquisition. As of early 2016, it is one of the most highly valued American cloud computing companies with a market capitalization above $55 billion, although the company has never turned a GAAP profit in any fiscal year since its inception in 1999. (Copy of the Homepage: https://en.wikipedia.org/wiki/Salesforce.com ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered an application-side input validation vulnerability and mail encode issue in the official Salesforce online service web-application. Vulnerability Disclosure Timeline: ================================== 2016-10-25: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2016-10-26: Vendor Notification (Salesforce Bug Bounty Program - Security Team) 2017-01-11: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== SalesForce Product: Dreamforce - Online Service (Web-Application) 2016 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent vulnerability and mail encode issue has been discovered in the official Salesforce Dreamforce web-application. The security vulnerability allows remote attackers to inject own malicious script code to the application-side of the service. The vulnerability is a persistent input validation and mail encode vulnerability. The issue is located in the registration website formular POST method request with the firstname and lastname input credentials. Remote attackers are able to inject own malicious script code during the registration to send the manipulated emails to any random target email by the original salesforce sender. The vulnerable input is located in the registration formular for the dreamforce event and the execution point occurs in the outgoing email with application-side effect. The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the application-side vulnerability requires no privileged web-application user account and only low user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context. Request Method(s): [+] POST Vulnerable Module(s): [+] registration Vulnerable Parameter(s): [+] name Proof of Concept (PoC): ======================= The input validation vulnerability and mail encode vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the dreamforce registration formular website 2. Inject a payload to the firstname and lastname input fields 3. Process to submit the form via POST method request 4. Watch the target inbox 5. The payload executes in the mail header next to the introduction with the name parameter output 6. Successful reproduce of the vulnerability! PoC: Exploitation (Remote) Email Source Sehr geehrter Herr >< %20%20>