{"id":18643,"date":"2022-07-15T10:45:36","date_gmt":"2022-07-15T08:45:36","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2021-0027\/"},"modified":"2022-07-26T08:57:13","modified_gmt":"2022-07-26T06:57:13","slug":"usd-2021-0027","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0027\/","title":{"rendered":"usd-2021-0027"},"content":{"rendered":"\n\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0027 | E-mail verification Bypass in CleverReach Newsletter Service<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2021-0027<\/span>
Affected Product<\/strong>: CleverReach <\/span>
Affected Version<\/strong>: Latest (as of 3rd May 2021)<\/span>
Vulnerability Type<\/strong>: CWE-288<\/a>: Authentication Bypass Using an Alternate Path or Channel<\/span>
Security Risk<\/strong>: Low<\/span>
Vendor URL<\/strong>:\u00a0https:\/\/www.cleverreach.com\/de\/ <\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/em><\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

It was possible to register and verify arbitrary e-mail addresses for the newsletter.
The link for the registration confirmation and the link needed for the e-mail verification only differed in one letter.
Therefore, it was possible to craft the verification link without access to the e-mail account.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

After the form for the newsletter registration is completed, the user is redirected a confirmation page.
The link for the confirmation page looks like this:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

https:\/\/eu2.cleverreach.com\/f\/259909-299451\/wcs\/1179069-fb4586c815f6a<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

The verification link sent via email only differs in one letter:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

https:\/\/eu2.cleverreach.com\/f\/259909-299451\/wss\/1179069-fb4586c815f6a<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"]

By changing \/wcs\/<\/strong> to \/wss\/ <\/strong>it is possible to register and verify arbitrary e-mails without having access to them.
<\/strong><\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

The verification link should be unique and independent from the registration process.<\/p>\n

Timeline<\/h3>\n
    \n
  • 2021-05-03: This vulnerability was identified by Nicolas Schickert.<\/li>\n
  • 2021-05-07: Advisory submitted to vendor via e-mail.<\/li>\n
  • 2021-05-25: Vendor states that they will be fixing this issue in a future version.<\/li>\n
  • 2021-06-30: Vendor acknowledges behaviour and starts working on a fix.<\/li>\n
  • 2021-11-22: Vendor informs about fix.<\/li>\n
  • 2021-12-30: Vulnerability persists, details provided to vendor.<\/li>\n
  • 2022-01-11: Vulnerability is fixed by vendor<\/li>\n
  • 2022-07-15: Advisory is published.<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerability was identified by Nicolas Schickert of usd AG.<\/p>\n<\/div>\n<\/div>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]\n\n\n","protected":false},"excerpt":{"rendered":"

    usd-2021-0027 | E-mail verification Bypass in CleverReach Newsletter Service Advisory ID: usd-2021-0027Affected Product: CleverReach Affected Version: Latest (as of 3rd May 2021)Vulnerability Type: CWE-288: Authentication Bypass Using an Alternate Path or ChannelSecurity Risk: LowVendor URL:\u00a0https:\/\/www.cleverreach.com\/de\/ Vendor Status: Fixed Description It was possible to register and verify arbitrary e-mail addresses for the newsletter.The link for the […]<\/p>\n","protected":false},"author":109,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-18643","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/18643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/109"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=18643"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/18643\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=18643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}