Document Title:
===============
Sparkasse - Multiple Persistent Cross Site Scripting Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2173
Release Date:
=============
2019-03-07
Vulnerability Laboratory ID (VL-ID):
====================================
2173
Common Vulnerability Scoring System:
====================================
4.6
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Product & Service Introduction:
===============================
A savings bank is a credit institution with the task of offering
opportunities to broad sections of the population.
to offer financial investment, to carry out payment transactions and to
meet local credit needs.
to satisfy the needs of small and medium-sized enterprises as well.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Sparkasse )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site vulnerabilities in the Sparkasse online service
web-application.
Vulnerability Disclosure Timeline:
==================================
2018-10-25: Researcher Notification & Coordination (Security Researcher)
2018-10-26: Vendor Notification (S-CERT Department)
2018-10-29: Vendor Response/Feedback (S-CERT Department)
2019-02-20: Vendor Fix/Patch (Service Developer Team)
2018-**-**: Security Acknowledgements (S-CERT Department)
2019-03-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sparkasse
Product: Mailing Server - Online Service (Web-Application)
2018 Q4 - 2019 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure Program
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official sparkasse online service newsletter web-application.
Local low privileged user accounts are able to inject own malicious
script codes on the application-side of the vulnerable service module.
The vulnerability is located in the `firstname`, `lastname` and
`companyname` values of the `newsletter` module. The vulnerable parameters
are f[1][v], f[2][v] & f[2][v]. Remote attackers are able to inject own
malicious script code via POST method request to the application-side
of the sparkasse dns domain mailing service. The attack vector of the
vulnerability is persistent on the application-side and the request
method to inject is POST. The attacker does not need to be directly
authenticated because its only an initial registration without direct
activiation request. The injection point are the vulnerable input fields
and the execution of the malform injected code takes place in the
`mailing.sparkasse.de` or unique `*sparkasse.de` domains by a
client-side GET method request.
The issue affects all pages listed with the newsletter module. Thus lead
to an integration to all the different
domains by the involved service provider. Now the vulnerability is all
over in the sparkasse domains and allows email spoofing, phishing,
cross site requests for redirect to malware or exploits and persistent
manipulation of sparkasse domain (dbms) contents. Due to a crawl we
identified a large list of affected web-applications from sparkasse by
usage of different google dork methods. A targeted user can not see
that the manipulated website is insecure because of the trusted native
source that deliveres the contexts over the sparkasse mailing api.
The security risk of the persistent web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system v3) count of 5.2.
The exploitation of the persistent input validation web vulnerability
requires low user inter action and no privileged application user account.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing, persistent external redirects to
malicious sources
and persistent manipulation of affected or connected web module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Newsletter
Vulnerable Input(s):
[+] Vorname
[+] Nachname
[+] Firmenname
Vulnerable Parameter(s):
[+] f[1][v]
[+] f[2][v]
[+] f[3][v]
Affected Domain(s):
[+] mailing.sparkasse.de
[+] other unique domains like news.sparkasse ...
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low
privileged application user account and medium required user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.
Google Dorks:
allinurl:sparkasse /de/home/service/newsletter.html
allinurl:sparkasse newsletter.html?n=true
Google Dork URL:
https://www.google.com/search?q=allinurl:sparkasse+/de/home/service/newsletter.html
https://www.google.com/search?q=allinurl:%3Asparkasse+newsletter.html?n?true
Payload: Phishing
test">
Payload: Session Hijacking
test">
test">
Payload: Malware or Exploit
test">
Payload: Redirect
test">
PoC: Demo URLs (Examples)
https://mailing.sparkasse.de/-viewonline2/15070/545/2055/QgsWbJ3W/rnckioVlCz/1
https://mailing.sparkasse.de/-viewonline2/6511/457/1029/961H3567/80CK9NcUj9/1
https://news.sparkasse-allgaeu.de/-viewonline2/6620/759/2129/tmBn69YJ/kU02LY1vXk/1
--- PoC Session Logs (POST) [Inject] ---
https://www.sparkasse-aachen.de/content/myif/spk-aachen/work/filiale/de/home/misc/vps/gate/_jcr_content.bin/emma/api/rest/39050000/optinsetup/5/form
Host: www.sparkasse-aachen.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer:
https://www.sparkasse-aachen.de/de/home/service/newsletter.html?n=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 324
Cookie: JSESSIONID=0000IkwJ8m_99MAwctzQGQvKqQ7:559eb1d1d;
IF6CONTEXT=SVBTVEFOREFSRDozOTA1MDAwMDpkZTpJRjpmYWxzZTpzcGstYWFjaGVu;
IFCLONE=559eb1d1d; IF_SPKDE_CHECK=SPKDE_CHECK;
vpi-3117116-SPKDE16=rd901o00000000000000000000ffffac10c6c0o80;
vpi-3117116-emma_session=eyJpdiI6IlZTV3o5bVNtMm5hOCthNm9cLzRvOEVnPT0iLCJ2YWx1ZSI6IjNCNTZQYnZNT2tDUkpZZTREQ01pTGtKVllLRUd0ZjQwYkhHSTExalErNm
RqMzV2QTBcL3hDc1wvSndUXC9YNk5rK0tQOEF6UGRrR2JHcEgzNCtMZVg4QitRPT0iLCJtYWMiOiIwNTdlZDUzMWU1NGUzNTBkZDkxMTE1MTk5OWRmMWI2ZDRmMmY1M
TEzMzdmM2E0MDMxZTMyZmFkMjdjZThkNTIxIn0%3D
Connection: keep-alive
f[0][i]=1&f[0][v]=crackswafslikeatingpopcorn@vulnerability-lab.com&f[1][i]=5&f[1][v]=a