-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory Title
===============
ARAMIDO-2018-001: Reflected HTML Injection of web-based CRM+ by Brainformatik GmbH


Affected Product(s) and Environment(s)
==========================================
The login page of the CRM+ by Brainformatik GmbH is affected by a reflected HTML Injection vulnerability.


Security Risk
===============
Severity: Medium
Vulnerability Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80)
CVSS v3: 5.3
## Impact
Confidentiality: None
Integrity: Low 
Availability: None
## Exploitability
Access Vector: Network 
Access Complexity: Low
Privileges Required:  None
User Interaction: None
## Scope
Scope: Unchanged


Remediation Level
================
Unavailable


Timeline
========
2018-03-22: Vulnerability discovered
2018-04-03: Information send to Brainformatik GmbH
2018-10-29: Brainformatik GmbH confirms the fix prior to this date
2018-11-02: Public disclosure


Description Summary
=====================
CRM+ by Brainformatik GmbH is a web-based customer relationship management tool. In order to use it a user needs to log in for which a login form is provided. This form can be manipulated in a way so that website defacements or presumably cross site scripting (XSS) are possible. Defacements can mislead users to take certain actions. By XSS key logging and other methods of browser control are imaginable.


Product Introduction:
======================
"crm+ ein webbasiertes CRM System, das Ihnen die gewünschten Informationen zu jeder Zeit und an jedem Ort strukturiert und prozessorientiert zur Verfügung stellt. Das crm+ ist eine sehr preiswerte Alternative zu Vtiger CRM und und stellt eine komplette Management Software dar, die standardmäßig auf Deutsch ausgeliefert wird." (Source: https://www.brainformatik.com/produkte/crm-plus/)


Technical Description
======================
The login website offers a form, which contains several hidden input fields. There is a hidden input field called 'forward_action', whose value can be controlled by the GET parameter 'action'. Hence, an html injection is possible.

It is obvious that the application filters the 'action' parameter. However, we found the html tags 'a', 'div' or 'img' to be injectable.

The url to the manipulated site can be sent to account owners and an attacker may try to obtain their username and password or to misguide them to other websites.


Proof of Concept (PoC)
======================
For a proof of concept, we manipulted the 'action' parameter. The defaced website can be accessed from the URL <https://[URL to CRM]/index.php?action=509%22%3E%3Cimg%20src=%22https://aramido.de/img/aramido-pirate-w.png%22%20/%3E%3Cbr%3E>. It shows the login form with the aramido pirate flag on top of it. Another example is <https://[URL to CRM]/index.php?action=509%22%3E%3Cimg%20src=%22javascript:alert(%27xss%27)%22%20/%3E>, which may still work with some browsers.


Solution
========
Our proposed solution is:
1. Use proper input validation.
2. Use proper output escaping.
3. Make use of the Content Security Policy (CSP). See https://content-security-policy.com/ for further information.


References
===========
[aramido responsible disclosure policy](https://aramido.de/blog/sicherheitshinweise)


Authors
=======
Armin Harbrecht, aramido GmbH 
E-mail: armin.harbrecht@aramido.de
PGP-Key:https://aramido.de/armin.harbrecht.asc
PGP-Fingerprint: E644 A4BD 7723 8620 FDA5 88C5 C483 060D 2B5F 83A0

Andreas Sperber, aramido GmbH 
E-mail: andreas.sperber@aramido.de
PGP-Key:https://aramido.de/andreas.sperber.asc
PGP-Fingerprint: FC84 BB4D 696D F04C E1A1 2BED 7518 A24A 06B9 BEA7


Disclaimer
===========
The information provided in this advisory is provided „as is” without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.


Copyright
==========
CC-BY-4.0
http://creativecommons.org/licenses/by/4.0/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElg7G/qrUhYz1TF6UKkksQOF7cp8FAlvccC0ACgkQKkksQOF7
cp8H3w//VdHZnkcFFcP+QbcHVEZ27R+rZh4o9GPkbxRKFind6XYRIimjtnHxe60C
La1/Nl0oL/ClF7TlOYnid6VJ6qIo6l2cKXYFvoT2CkXKFMH3Q8r4SyfJwHQEbzwg
jdqGmvTJBpiln9/CAvjSDiBSQSA38EexlzH8fEOSIq0jQGBKPgWVEQAxRKEa0D93
zz52+0dcaqTjDhIuLN1PQAJjE7O/b6Wua7sN726IvZ3S/C5dzdzTJ6WB4Ig4uKms
MIwNnIdhm8a3FsEwgyWZI26/fmntEcH8jB2GTLpyCqOCnqg0tFZLGRHv1gr+WRaJ
vF5J55OlN+vWd8+8U8/B74BemLv030YpYShYheC6VNjlBK/GCgmS71jedK9BNkrJ
ilfjaMMGIzA0ut6zlzSK3sU1SQYFmYalCdC7g3ufFi7jbiiRXE1u2MGaeTaJOAFN
zUs7fvBhHDq4tSnkAiHJbL4tWMhYLpS9L3W2YWqfFoErrz5BvN4+fn8fR/rSYT5B
uQqKQofhsbQHimW5y8BeksOTDHTQWZ92cEypFrw6ISRo3h5jbR6h0PFq3cvQHr9s
QK0tFnNthizEBxRZ55d129iG4EcJESaCabF7pOlIBHcfVFkGCTsCXOon+MUTPfaR
YyxnK+Z/XC742UGwQGqPKeNeU6/WEpD44trqeITtA/zGqIbiD/A=
=yc88
-----END PGP SIGNATURE-----