Boxcryptor Cross Site Scripting

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2014-001  
- Original release date: February 4, 2014  
- Last revised: February 4, 2014  
- Discovered by: Vicente Aguilera Diaz  
- Severity: 4.3/10 (CVSSv2 Base Scored)  
- CVE-ID: -  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com).  
  
  
II. BACKGROUND  
-------------------------  
Boxcryptor is an easy-to-use encryption software optimized for the  
cloud. It allows the secure use of cloud storage services without  
sacrificing comfort.  
  
Boxcryptor supports all major cloud storage providers (such as Dropbox,  
Google Drive, Microsoft SkyDrive, SugarSync) and supports all the clouds  
that use the  
  
WebDAV standard (such as Cubby, Strato HiDrive, and ownCloud).  
  
  
III. DESCRIPTION  
-------------------------  
Has been detected a XSS vulnerability in www.boxcryptor.com.  
  
Cross-Site Scripting attacks are a type of injection problem, in which  
malicious scripts are injected into the otherwise benign and trusted web  
sites.  
Cross-site scripting (XSS) attacks occur when an attacker uses a web  
application to send malicious code, generally in the form of a browser  
side script, to a  
  
different end user. Flaws that allow these attacks to succeed are quite  
widespread and occur anywhere a web application uses input from a user  
in the output  
  
it generates without validating or encoding it.  
  
An attacker can use XSS to send a malicious script to an unsuspecting  
user. The end user’s browser has no way to know that the script should  
not be trusted,  
  
and will execute the script. Because it thinks the script came from a  
trusted source, the malicious script can access any cookies, session  
tokens, or other  
  
sensitive information retained by your browser and used with that site.  
These scripts can even rewrite the content of the HTML page.  
  
  
IV. PROOF OF CONCEPT  
-------------------------  
Next, we show a typical request to save changes in "My Account" option:  
  
POST /app/user/modify/<userID> HTTP/1.1  
Host: www.boxcryptor.com  
...  
firstname=<firstname>&lastname=<lastname>&username=<email>&_newsletter=  
  
where:  
- <userID> is a numeric user ID generated by boxcryptor  
- <firstname> is the firstname specified by the user  
- <lastname> is the lastname specified by the user  
- <email> is the email address specified by the user  
  
A malicious user can inject arbitrary HTML/script code in the <email>  
parameter.  
For example:  
  
POST /app/user/modify/3805739018726483071 HTTP/1.1  
Host: www.boxcryptor.com  
...  
firstname=John&lastname=Smith&[email protected]<H1><center>This+is+a+XSS+example</center></H1>&_newsletter=  
  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted  
user's browser. This can leverage to steal sensitive information as user  
credentials,  
  
personal data, etc.  
  
  
VI. SYSTEMS AFFECTED  
-------------------------  
www.boxcryptor.com  
  
  
VII. SOLUTION  
-------------------------  
-  
  
  
VIII. REFERENCES  
-------------------------  
http://www.isecauditors.com  
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).  
  
  
X. REVISION HISTORY  
-------------------------  
February 4, 2014: Initial release  
  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
February 4, 2014: Discovered by Internet Security Auditors  
February 6, 2014: Contact with the developer team  
February 10, 2014: Confirmed by vendor  
February 10, 2014: Vendor deployed a new version  
February 13, 2014: Internet Security Auditors release the advisory  
  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. Internet  
Security  
  
Auditors accepts no responsibility for any damage caused by the use or  
misuse of this information.  
  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security, penetration testing, security compliance  
implementation and  
  
assessing. Our clients include some of the largest companies in areas  
such as finance, telecommunications, insurance, ITC, etc. We are vendor  
independent  
  
provider with a deep expertise since 2001. Our efforts in R&D include  
vulnerability research, open security project collaboration and  
whitepapers,  
  
presentations and security events participation and promotion. For  
further information regarding our security services, contact us.  
`