Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Connect-app (CDU) Version: 3.8 - Cross Site Scripting

From: merion44 via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 04 Aug 2021 11:01:00 +0000
app: connect-app (cdu) (version: 3.8)

cross-site scripting in the registration form name variables. Remote attackers can inject js payloads as name variables 
to exploit the frontend in the profile view and potentially execute in the backend via the preview. Uncertainty in 
validating object names in outbound emails, causing the context to be validated insecurely. This allows reflected 
execution in the message body of the email where the name variable is visible. You can see in the main validation how 
the developers have tried to parse and encode the content with backslashes and other characters. In this way, the type 
of validation can easily be bypassed by using simple frames with a source that points to a external link. We have 
tested this in the portal where the code is executed, we have tested it in the outgoing service emails that insert the 
name variably in the email body, and we have also tested the stored content that was submitted via the API. All 
contents was transmitted insecurely and can be manipulated to trigger simple cross-site scripting payloads, hijack user 
session credentials or manipulate outbound emails with reflected malicious content on the application side.

We decided to bring the issue directly to the public after the CDU opened a court case to criminalise a German hacker 
following a Whitehat report. Normally we wanted to report the vulnerabilities directly via Responsible Disclosure, but 
were deterred by incidents mentioned above. These did not stop us but we therefore chose another way to make noise.

ref: https://www.golem.de/news/connect-app-cdu-verklagt-offenbar-hackerin-nach-melden-von-luecken-2108-158647.html

ref: https://www.golem.de/news/connect-app-cdu-nimmt-wahlkampf-app-nach-datenleck-offline-2105-156471.html

greetz to cdu
by team smackback

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: