-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory Title =============== ARAMIDO-2018-001: Reflected HTML Injection of web-based CRM+ by Brainformatik GmbH Affected Product(s) and Environment(s) ========================================== The login page of the CRM+ by Brainformatik GmbH is affected by a reflected HTML Injection vulnerability. Security Risk =============== Severity: Medium Vulnerability Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) CVSS v3: 5.3 ## Impact Confidentiality: None Integrity: Low Availability: None ## Exploitability Access Vector: Network Access Complexity: Low Privileges Required: None User Interaction: None ## Scope Scope: Unchanged Remediation Level ================ Unavailable Timeline ======== 2018-03-22: Vulnerability discovered 2018-04-03: Information send to Brainformatik GmbH 2018-10-29: Brainformatik GmbH confirms the fix prior to this date 2018-11-02: Public disclosure Description Summary ===================== CRM+ by Brainformatik GmbH is a web-based customer relationship management tool. In order to use it a user needs to log in for which a login form is provided. This form can be manipulated in a way so that website defacements or presumably cross site scripting (XSS) are possible. Defacements can mislead users to take certain actions. By XSS key logging and other methods of browser control are imaginable. Product Introduction: ====================== "crm+ ein webbasiertes CRM System, das Ihnen die gewünschten Informationen zu jeder Zeit und an jedem Ort strukturiert und prozessorientiert zur Verfügung stellt. Das crm+ ist eine sehr preiswerte Alternative zu Vtiger CRM und und stellt eine komplette Management Software dar, die standardmäßig auf Deutsch ausgeliefert wird." (Source: https://www.brainformatik.com/produkte/crm-plus/) Technical Description ====================== The login website offers a form, which contains several hidden input fields. There is a hidden input field called 'forward_action', whose value can be controlled by the GET parameter 'action'. Hence, an html injection is possible. It is obvious that the application filters the 'action' parameter. However, we found the html tags 'a', 'div' or 'img' to be injectable. The url to the manipulated site can be sent to account owners and an attacker may try to obtain their username and password or to misguide them to other websites. Proof of Concept (PoC) ====================== For a proof of concept, we manipulted the 'action' parameter. The defaced website can be accessed from the URL . It shows the login form with the aramido pirate flag on top of it. Another example is , which may still work with some browsers. Solution ======== Our proposed solution is: 1. Use proper input validation. 2. Use proper output escaping. 3. Make use of the Content Security Policy (CSP). See https://content-security-policy.com/ for further information. References =========== [aramido responsible disclosure policy](https://aramido.de/blog/sicherheitshinweise) Authors ======= Armin Harbrecht, aramido GmbH E-mail: armin.harbrecht@aramido.de PGP-Key:https://aramido.de/armin.harbrecht.asc PGP-Fingerprint: E644 A4BD 7723 8620 FDA5 88C5 C483 060D 2B5F 83A0 Andreas Sperber, aramido GmbH E-mail: andreas.sperber@aramido.de PGP-Key:https://aramido.de/andreas.sperber.asc PGP-Fingerprint: FC84 BB4D 696D F04C E1A1 2BED 7518 A24A 06B9 BEA7 Disclaimer =========== The information provided in this advisory is provided „as is” without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Copyright ========== CC-BY-4.0 http://creativecommons.org/licenses/by/4.0/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElg7G/qrUhYz1TF6UKkksQOF7cp8FAlvccC0ACgkQKkksQOF7 cp8H3w//VdHZnkcFFcP+QbcHVEZ27R+rZh4o9GPkbxRKFind6XYRIimjtnHxe60C La1/Nl0oL/ClF7TlOYnid6VJ6qIo6l2cKXYFvoT2CkXKFMH3Q8r4SyfJwHQEbzwg jdqGmvTJBpiln9/CAvjSDiBSQSA38EexlzH8fEOSIq0jQGBKPgWVEQAxRKEa0D93 zz52+0dcaqTjDhIuLN1PQAJjE7O/b6Wua7sN726IvZ3S/C5dzdzTJ6WB4Ig4uKms MIwNnIdhm8a3FsEwgyWZI26/fmntEcH8jB2GTLpyCqOCnqg0tFZLGRHv1gr+WRaJ vF5J55OlN+vWd8+8U8/B74BemLv030YpYShYheC6VNjlBK/GCgmS71jedK9BNkrJ ilfjaMMGIzA0ut6zlzSK3sU1SQYFmYalCdC7g3ufFi7jbiiRXE1u2MGaeTaJOAFN zUs7fvBhHDq4tSnkAiHJbL4tWMhYLpS9L3W2YWqfFoErrz5BvN4+fn8fR/rSYT5B uQqKQofhsbQHimW5y8BeksOTDHTQWZ92cEypFrw6ISRo3h5jbR6h0PFq3cvQHr9s QK0tFnNthizEBxRZ55d129iG4EcJESaCabF7pOlIBHcfVFkGCTsCXOon+MUTPfaR YyxnK+Z/XC742UGwQGqPKeNeU6/WEpD44trqeITtA/zGqIbiD/A= =yc88 -----END PGP SIGNATURE-----