-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-052 Product: COINS Construction Cloud Manufacturer: Construction Industry Solutions (COINS) Affected Version(s): 11.12 Tested Version(s): 11.12 Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE-79) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-11-02 Solution Date: TBA Public Disclosure: 2022-01-13 CVE Reference: CVE-2021-45225 Author of Advisory: Jürgen Zöller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: COINS Construction Cloud is an enterprise resource planning software specifically for the construction industry. The manufacturer describes the product as follows (see [1]): "COINS Construction Cloud is a powerful solution that enables construction companies, their subcontractors, suppliers and workforce – to work better together on site, off site, on the road and in the office." Due to improper input neutralization, COINS Construction Cloud is vulnerable to reflected cross-site scripting (RXSS) via malicious links. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: At several locations within the applications, it was possible to introduce JavaScript code into the generated web page via URL parameters. The affected parameters get incorporated into HTML tag attributes without neutralization, enabling an attacker to break out of the HTML attribute by adding %22 (URL-encoded quotation marks) to the URL. Affected are the following parameters: Search window: * querySortOrder * queryFilterType Activity view window: * pvCILevel * pvCISibling * TopMenu The injection points of the activity view window also get incorporated into JavaScript in an unsafe manner, additionally enabling a second type of payload to successfully execute code. This second type cannot be detected by filters that try to remove HTML tags from parameters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Search: 1. Navigate to a search window within the application. 2. Append 22%3e%3cscript%3ealert(1)%3c%2fscript%3 to the value of one of the vulnerable parameters, e.g. querySortOrder, in the URL. 3. Visit the page with the modified link. 4. The payload gets executed once the site is loaded. Activity view: 1. Navigate to the activity view window. 2. Append %22-alert(1)-%22 to the value of one of the vulnerable parameters, e.g. TopMenu, in the URL. 3. Visit the page with the modified link. 4. The payload gets executed once the site is loaded. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: No solution has been provided yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-04-20: Vulnerability discovered 2021-11-02: Vulnerability reported to manufacturer 2022-01-13: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for COINS Construction Cloud https://www.coins-global.com/solutions/47/ [2] SySS Security Advisory SYSS-2021-052 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-052.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jürgen Zöller of SySS GmbH. E-Mail: juergen.zoeller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Juergen_Zoeller.asc Key ID: 0xA55C06902A34886E Key Fingerprint: F279 067D A805 F18E BB71 E876 A55C 0690 2A34 886E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8nkGfagF8Y67ceh2pVwGkCo0iG4FAmHdbPgACgkQpVwGkCo0 iG7CYA//fwP+3Tl1fF6vWWu1XLic/ZQB2F2LZMT0784OmzaSynqVcq7VwnnydVIf llCNbjoh/+BsM9TCCr75hlCHqQar2roDIL3MSUiXqzao57kliMhCQyvveV0+8PG0 Ff2IaCerzzi8MRSAlzm6Ds7E7HeesYU87+U34wB0S4Buo5JsloiQtS4YP8u8pwy5 LSBAQ1eFLtYrvQePQbFCUQvTRmBH00hSPFmDOUdHnCo2wg5h/X6mewrKMudpwezI Le+f0D1jX4k3zVYaZyTgJdoInBgIr0uQx/MK/7XErBk+lSN+RlrTCSIiCkbBKrfk qDVHs5y0HjTSAcb1iII36pCatDATeQ6aKCeWzwKVOUMJlxrYshY/ksf5KgFnRnCk ckOURs+1PFjSrADdleFER8eYlQ3CdLAar7VzTzFTSITcav2m4zwZ2slR+qwhwDWg GwSdrBYHCJQ1Kax5cLakectYfwcUw8eteS5PHca4/uhCA8d37ULWW6+XpiJfSPTL uArUu3p/Ds4yFLWnTm66dg/jj7SjCr1sQ4Q2ZCnirM1XeUJwrv7wL6tgYa2sXPF5 m6NF+6ti+B5Z5nkt5iE1pm+e/3WMd3MfvQx+q/OXtJR6HqnjRHj215DtwUjcMeKK xIjsXzvyRX3otoBaLDt+4BSb0AJk9CHMTtvqGMfKbnUiCyRZSvU= =QT9U -----END PGP SIGNATURE-----