Advisory ID: SYSS-2020-017 
Product: ANTON Web Application
Manufacturer: solocode GmbH
Affected Version(s): 1.3.5
Tested Version(s): 1.3.5
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Close
Manufacturer Notification: 2020-04-21
Solution Date: 2020-04-27
Public Disclosure: 2020-06-02
CVE Reference: Not yet assigned
Author of Advisory: Joachim Klein, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ANTON is a universal learning platform for school and pupils.

The manufacturer describes the product as follows (see [1]):

"ANTON ist eine universelle Lern‐Plattform (Web & Mobile) für Schule und 
Schüler/innen, die sowohl zum eigenständigen Selbstlernen als auch zum 
interaktiven Lernen im Klassenraum‐Kontext eingesetzt werden kann."

ANTON is vulnerable to cross-site scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Cross-site scripting (XSS) as a typical web application vulnerability
describes the possibility to inject and execute JavaScript code in the
application. Due to insufficient filtering of user-controlled input, ANTON
is vulnerable to cross-site scripting.
If an attacker succeeds, he/she has all options for action via JavaScript.
For example, this includes the possibility to redirect to another website,
take over the session (session hijacking) or change the original layout
(defacements). 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As a proof of concept, SySS GmbH placed JavaScript code within the parameter
"Nachname" inside an HTML <img> tag by the command 'onerror'. For example, it
was possible to extract the value of the local storage with the userLogId.

"<img src=X onerror="alert(JSON.parse(localStorage.getItem('userLogIds')))"/>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The issue was rectified by the vendor. All users automatically use the
fixed version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-04-16: Vulnerability discovered
2020-04-21: Vulnerability reported to manufacturer
2020-04-27: Patch released by manufacturer
2020-06-02: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ANTON
    https://anton.app/de/impressum/
[2] SySS Security Advisory SYSS-2020-017
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-017.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Joachim Klein of SySS
GmbH.

E-Mail: joachim.klein@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Joachim_Klein.asc
Key ID: 0x535D9C315D2E0BBF
Key Fingerprint: 3384 5485 D2E3 B20A F309 E66D 535D 9C31 5D2E 0BBF

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en