SIS-REWE GO 7.5.0/12C Cross Site Scripting Vulnerability

=======================================================================
               title: Reflected Cross-site Scripting Vulnerabilities
             product: SIS Informatik - REWE GO
  vulnerable version: 7.5.0/12C
       fixed version: 7.7 SP17
          CVE number: CVE-2021-31537
              impact: Medium
            homepage:https://sisinformatik.com/rewe-go/
               found: 2021-02-12
                  by: Steffen Robertz (Office Vienna)
                      Florian Lienhart (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"SIS Informatik is your specialist for the conception and implementation
  of tailor-made accounting, business intelligence and corporate
performance management solutions. In addition to technical competence,
business know-how and the willingness to develop optimal, adaptable
software solutions together with our customers are the central
components that make us a strong partner. We develop solutions based on
high-quality technologies from well-known partners such as IBM, Oracle
and Qlik" (translated from German)

Source:https://sisinformatik.com/unternehmen/


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these products
conducted by security professionals to identify and resolve all security
issues.


Vulnerability overview/description:
-----------------------------------
1) Multiple Reflected Cross-site Scripting (XSS) (CVE-2021-31537)
The login website returns unfiltered or unescaped user input. This leads to a
reflected cross-site scripting (XSS) vulnerability.
An attacker can inject arbitrary HTML or JavaScript code into the victim's
web browser. Once the victim clicks on a malicious link, the attacker's code
is executed in the context of the victim's web browser.

Proof of concept:
-----------------
1) Multiple Reflected Cross-site Scripting (XSS) (CVE-2021-31537)
When opening the following URL the supplied JavaScript code will be executed.
/rewe/prod/web/index.php?config=rewe2%22%3E%3Cscript%3Ealert(%22document.domain%22)%3C/script%3E&version=7.5.0&win=2707&user=test&pwd=test&db=test&continue=false
The affected parameters are: "config", "version", "win","db", "pwd", and
"user".

No valid parameters need to be supplied to trigger the XSS vulnerability as
seen in following URL:
/rewe/prod/web/index.php?abc'-alert(%22document.domain%22)-'abc=1

The following URL is affected as well:
/rewe/prod/web/rewe_go_check.php?config=rewe&version=7.5.0%3cscript%3ealert(1)%3c%2fscript%3e&win=2707
All parameters are affected.


Vulnerable / tested versions:
-----------------------------
The following product/firmware version has been tested:
* SIS-REWE GO 7.5.0/12C


Vendor contact timeline:
------------------------
2021-02-24: Contacting vendor [email protected]; no reply.
2021-03-11: Contacting vendor again [email protected]
2021-03-15: Vendor requests more information. SEC Consult offered to provide.
             advisory via encrypted or unencrypted mail.
2021-03-17: Sending advisory via PGP encrypted mail.
2021-03-21: Vendor confirmed the vulnerability and is working on a patch.
2021-04-12: Requested status update.
2021-04-16: Hot fix 7.7 SP16 available in week 16, next release 7.7 SP17 in
             week 18.
2021-05-11: Coordinated release of security advisory.


Solution:
---------
Contact the vendor in order to install the security patch for release 7.7
SP16
or upgrade to release 7.7 SP17. More information has been provided to customers
of the vendor in a newsletter.