-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-041 Product: 4All-Portal Manufacturer: Cross Media - die Daten und Netz GmbH Affected Version(s): Unknown Tested Version(s): 2.7 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2016-05-13 Solution Date: 2016-09-12 Public Disclosure: 2016-11-29 CVE Reference: Not assigned Author of Advisory: Sascha Muenzberg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: 4All-Portal is a web based web-to-print workflow solution. The software manufacturer describes the application as follows (see [1]): "The 4All-Portal is a highly flexible web-to-print platform for managing, creating and publishing of publications in online and print media. Various modules enable flexible scaling of the software – so that the portal grows with your requirements" Due to improper input validation, the web application is vulnerable to Reflected Cross-Site Scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that at least one URL of the web application 4All-Portal is prone to a Reflected Cross-Site Scripting attack. This Cross-Site Scripting vulnerability allows an attacker to send a manipulated link to his victim in order to execute arbitrary JavaScript code in the context of his victim's web browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following URL demonstrates the reflected Cross-Site Scripting vulnerability by showing a JavaScript alert box. https://example.com/UserManagement/GetMAMGuiAsset?customerName=np&urlAddAttr=9323&filename=<%2fa> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to version 2.10 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-05-03: Vulnerability discovered 2016-05-13: Vulnerability reported to manufacturer 2016-07-13: Manufacturer proposes alternative release schedule 2016-09-12: Public release of fixed version 2016-11-29: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Vendor description of 4All-Portal http://www.4all-portal.net/en/ [2] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ [3] SySS GmbH, SYSS-2016-041 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-041.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Sascha Muenzberg of the SySS GmbH. E-Mail: sascha.muenzberg@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Muenzberg.asc Key ID: 0x73033C4F Key Fingerprint: 63FF 27B8 3E36 5475 1C0E CB5D 27C6 0C38 7303 3C4F ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJYPAUKAAoJECfGDDhzAzxPS7gQAKX5JuXPHkBLPxQdJMmTInM1 iommgkKqeJnEDsZnscCHE8rG2Z0SLkY4gmZphDKGR9hVEYNLGWFN/eKJjvkM2Mw/ MXi3YfP4aaygeETkLcwAuazonnAVfI2o1mvCzrMcMFbRAT87fhXfJzJ3uJ/q88CD xL3pZ5LRPow2Dk8NuVxIsIY1oTZ0oj4AIpnpQsDkF5En4DJ6CznFAh7ojB6Uwo4H /nxegTqjT00GisP3OkGINRLMQRBhLljE3mTEggq5+OskxSSNVsYFbcG7Q9yeuFLr NmAZZTeW65BaunJ9dJBCQMsh68juFtqdBPBBC25SoiEOG0S/Z/upXgvvKikf1SG9 LP3nCj/zK+0hRiYM/O9FDnqxF52C/V27UoIrbI8Vpu8aq37q9QUg+esQmm/XLTMi VJl7fzxnRtnMNBt+zA2NL+GN9R7ozdojqMQ5GS1vGxMhFKHOPFqB3oeMDmQeVnnP JMEShILzMXzagFeMcHRZ+mXVR0oQYv4VXTasimbJ3yIvqKq43pY5ekS12Ni2xB/l ATXTuSjR2wVgO5Mt8CD4W5AjeCPfOiAlYFBdI1rqx8ECmcyg9X6YOt3o/wwhbdW4 rOGVXmawd1WBH6V3sTf361E/mkSJ+J/hhIdnqu5PyB5YkasLCWMULHmJj/K1M6aQ FUmp5N7I5CHIVRzl4Llb =JBL2 -----END PGP SIGNATURE-----