-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2021-051 
Product: COINS Construction Cloud
Manufacturer: Construction Industry Solutions (COINS)
Affected Version(s): 11.12
Tested Version(s): 11.12
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2021-11-02
Solution Date: TBA
Public Disclosure: 2022-01-13
CVE Reference: CVE-2021-45226 
Author of Advisory: Jürgen Zöller, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

COINS Construction Cloud is an enterprise resource planning software specifically
for the construction industry.

The manufacturer describes the product as follows (see [1]):

"COINS Construction Cloud is a powerful solution that enables construction companies,
their subcontractors, suppliers and workforce – to work better together on site,
off site, on the road and in the office."

Due to improper validation of user-controlled HTTP headers, attackers can cause
the COINS Construction Cloud application to send password reset e-mails pointing
to arbitrary websites.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

COINS Construction Cloud provides users with a password reset function that sends
an e-mail to a pre-registered e-mail account. This e-mail consists of a link
containing a reset token. However, the target domain of this link is taken from
the HTTP "Host" header of the initial request. As this header is user-controlled,
an attacker can induce the application to send e-mails containing password reset
links pointing to arbitrary domains. 
Due to this e-mail coming from a supposedly trustworthy source, this could be
used for phishing.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Trigger a password reset for a user account under your control.
2. Intercept the request on the way to the server and change the HTTP "Host" header
   to an arbitrary domain.
3. Release the modified e-mail.
4. You receive an e-mail containing a link to the previously entered domain.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

No solution has been provided yet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-04-20: Vulnerability discovered
2021-11-02: Vulnerability reported to manufacturer
2022-01-13: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for COINS Construction Cloud
    https://www.coins-global.com/solutions/47/
[2] SySS Security Advisory SYSS-2021-051
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-051.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Jürgen Zöller of SySS 
GmbH.

E-Mail: juergen.zoeller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Juergen_Zoeller.asc
Key ID: 0xA55C06902A34886E 
Key Fingerprint: F279 067D A805 F18E BB71 E876 A55C 0690 2A34 886E

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmHdbO0ACgkQpVwGkCo0
iG5Yww/9FYvW7mXBlxshIMgYVsYg46TzAwe1ML92PVvYPPyQ0q+qoown2+8pujOH
9rXkSEByJEH6qXBWRgGE3GXgVofL2U7Zn0XvUCPSR0AjF8Gr438WsO+NzFzW4rCB
cYrLtoujvsKE6IzgM1QonJtH/b3p8xGH5ym1xgyEsU01/S5qw17uzHPRk3OUjgJp
0RtZU4B7y+n5lrJ3cNB4+u6pW9PdmgHgrPthTn7/LCymh23we5C67y50C65O5DH+
BXqP8LveqvSh2R9k9MPzwiCva76KZ0rIyNfeRZWLlBABQOwkVx43sSeIz7HuVAjz
ZsRrMyxwtul81E4GzVI4fH5a2eYeInGmBT70A3XkHqgMD1Kkv/xCq+6woru01HMd
XG7jx0jAoUcC5DSjo4xaesvgW/vKhlPboG4EmvzTiT3Pp5OlriVOL/AV408HbNkp
bzDXD9/DVzGKcXHPkbUp3YTV+7/OXnKy0KlpvgcpsN/rLFw2y4gM2Z6BmxmTLo34
J8qD6sTkMVN78E+75lRLI+zLe98D4oFKUE91JVe3PzHggsxhyiTuHMH4YauOcP5L
kk23k1HqbSWkYMIEbp0md9GG4c9MHoNujMw6xwde+75n3IaEqjlHIqxoXSQ6Xxab
ZUPCRZnIXNzN3iEdsFktkEKI6o/9GzQNH6OPjufApQ8K8Inf+D0=
=fAq/
-----END PGP SIGNATURE-----