SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities

2015-04-21T00:00:00
ID 1337DAY-ID-23559
Type zdt
Reporter bot
Modified 2015-04-21T00:00:00

Description

Exploit for multiple platform in category web applications

                                        
                                            Document Title:
===============
SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities

Product & Service Introduction:
===============================
The integrated customer management, digital customer file is the central record for a single customer. invoices, facilities and operations 
to a customer are stored centrally automated in one place. So the customer file is always up to date. For faster retrieval or reporting 
contacts can be tagged. In addition, with powerful. Search options you have as the entire customer base better than ever in view.
 
Daily backup
256bit SSL encryption
TÜV certified datacenter
 
Free version
No hidden costs
No minimum contract term
 
iPhone App
Runs in any browser
No installation required on the PC
 
Easy to use
Reduced to the essentials
Automated, where it is only Possible
 
(Copy of the Vendor Homepage: https://sevdesk.de/)

Affected Product(s):
====================
SevenIT
Product: SevDesk - Web Application 3.1.0

Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities are detected in the official SEVENIT Software GmbH - sevDesk v3.10 web-application.
The vulnerability allows remote attackers or low privileged user account to inject own malicious script codes to the application-side of the 
vulnerable web-application module or service.
 
The security vulnerability is located in the `firstname`, `surname` & `family` name values of the main sevDesk `Dasboard` application module.
Remote attackers are able to inject own codes to the main dashboard service by manipulation of the registration username. The execution of 
the injected script code occurs on the application-side in the main dasboard module through the rightHead and feedcontent class. The attack 
vector is persistent and the request method to inject the code is POST. The victim user can also change the name by usage of the application 
which does not require an admins interaction on successful exploitation.
 
The security risk of the persistent script code inject web vulnerabilities is estimated as medium with a cvss (common vulnerability scoring system) 
count of 5.9. Exploitation of the persistent vulnerability requires a low privileged sevdesk user account with restricted access and no direct 
user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects 
to malicious source and persistent manipulation of affected or connected application modules.
 
 
Request Method(s):
                [+] POST
 
Vulnerable Module(s):
                [+] Registration to SevDesk
 
 
Vulnerable Parameter(s):
                [+] surname
                [+] firstname
                [+] family name
 
Affected Module(s):
                [+] Dasboard Index - rightHead & feedcontent
 
 
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by low privileged application user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 
Manual steps to reproduce the vulnerability
 
1. Register an account by usage of the following webpage https://my.sevdesk.de/register/
2. Include to the surname, family name and firstname your own script code as payload
3. Save the registration form and go to the website https://my.sevdesk.de/
4. Login with the user account data
5. The execution of the injected script code occurs after the registration POST method request and next to the redirect in the main dasboard index (rightHead < name > feedcontent)
6. Successful reproduce of the application-side security vulnerability!
 
 
PoC: rightHead > Displayname (First- & Lastname)
 
<div id="middleHead">
<input id="suche" type="text" onfocus="this.value = ''" value="Gehe zu Kontakt, Projekt, Dokument..." />                  
</div>
<div id="rightHead">
<div style="float:right;margin-top:5px;text-align: right;padding-right:5px;">
<div style="color:#fff;padding:3px;margin-bottom:2px;">
<span style="color:#f5d385;font-weight:bold;">a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"</span></div>                        
<a href="/admin/company">Einstellungen</a> |                     
<a href="http://portal.sevdesk.de/" target="_blank">Hilfe</a> | <a href="./auth/logout/">Logout</a>
                    </div>
                </div>
            </div> 
        </div>
        <div id="headNav" style="top:80px;">
            <div class="headwrapper">
                <ul id="mainNavigation">
 
 
PoC: Verlauf > feedcontent
 
<div>
<div class="feed" id_feed="393424"><div class="imgpos"><img src="/img/icons/24x24/offer.png"></div><div class="feedbody">
<div class="headline">Samstag, 30. August 2014 - 02:14</div><div class="feedcontent">
a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> hat den Status des 
<img src="/img/icons/16x16/offer.png"> <a href="/om/detail/index/id/60547">Angebots - 1007</a> auf
"archiviert" geändert
</div></div><div class="clearfix"></div></div>
<div class="feed" id_feed="393423"><div class="imgpos"><img src="/img/icons/24x24/offer.png"/></div><div class="feedbody">  
<div class="headline">Samstag, 30. August 2014 - 02:14
 
 
 
--- PoC Session Logs [POST] (Registration sevDesk) ---
Status: 200[OK]
 POST https://my.sevdesk.de/register/save Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[94] Mime Type[text/html]
   Request Header:
      Host[my.sevdesk.de]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[https://my.sevdesk.de/register]
      Content-Length[119]
      Cookie[PHPSESSID=63m788aic41f173a01akttgp24; optimizelySegments=%7B%7D; optimizelyEndUserId=oeu1409658038644r0.9444753343384411; 
optimizelyBuckets=%7B%7D; __utma=47898149.1078820709.1409658041.1409658041.1409658041.1; __utmb=47898149.3.10.1409658041; __utmc=47898149; 
__utmz=47898149.1409658041.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); kvcd=1409658049586; 
km_ai=5La%2FUBeVvA7zRXwSTd4gSRBJccE%3D; km_uq=; km_vs=1; km_lv=1409658050; _ga=GA1.2.1078820709.1409658041]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      name[[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]]
      surename[[PERSISTENT INJECTED SCRIPT CODE VIA SURNAME VALUE!]]
      familyname[[PERSISTENT INJECTED SCRIPT CODE VIA FAMILY NAME VALUE!]]
      username[support%40vulnerability-lab.com]
      password[chaos666]
   Response Header:
      Date[Tue, 02 Sep 2014 11:44:30 GMT]
      Server[Apache/2.2.22 (Debian)]
      X-Powered-By[PHP/5.4.4-14+deb7u7]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Content-Length[94]
      Keep-Alive[timeout=5, max=99]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=utf-8]
 
 
Reference(s):
https://my.sevdesk.de/register/save
 
 
Solution - Fix & Patch:
=======================
The vulnerbility can be patched by a secure parse and encode of the affected rightHead & feedcontent values in the dashboard application index.
Filter and restrict the user registration input form with a secure mask or exception-handling to prevent persistent code injections in the important name values.
 
Note: The issue has been patched by the manufacturer since 2015-02-01
 
 
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities in the main dasboard application is estimated as medium. (CVSS 5.9)

#  0day.today [2018-04-03]  #