We discovered a stored cross site scripting (XSS) vulnerability on Vera, a platform for online proofing and custom workflows used in the printing industry. An authenticated user could leverage the last name field in the User module of the system to execute a stored cross site scripting vulnerability. Furthermore, an Improper Access Control vulnerability was discovered in the projects module where a user could view and download project related documents without the proper permissions. The vulnerable version is Vera – 4.9.1.26180.
Vera-XSS-and-Improper-Access- Control_Thumb
Vera-XSS-and-Improper-Access- Control_Thumb
We discovered a stored cross site scripting (XSS) vulnerability on Vera, a platform for online proofing and custom workflows used in the printing industry. An authenticated user could leverage the last name field in the User module of the system to execute a stored cross site scripting vulnerability. Furthermore, an Improper Access Control vulnerability was discovered in the projects module where a user could view and download project related documents without the proper permissions. The vulnerable version is Vera – 4.9.1.26180.

Impact

An attacker could leverage the cross-site scripting vulnerability to conduct an attack against a user and gain access to sensitive information such as their cookie. The attacker could take over the accounts of other users and execute actions in their name.

The improper access control vulnerability could be leveraged by a malicious user to access sensitive project related documents and upload content to a project that they should not have access to.

Technical Analysis

Cross Site Scripting

In order to exploit this vulnerability, we logged in as a user on the website where the application was hosted. This user had access to the User Management module. Then, we clicked on the Users tab in the menu bar and edited another user’s details. We changed the last name of this user to an XSS payload:

<img src="" onerror=" alert(document.cookie)"/>

This is just a simple payload to demonstrate our ability to execute arbitrary JavaScript code. The payload will open a pop-up window that displays the cookie of the user being attacked.

To trigger the payload, we clicked on that user’s details page and as expected, a pop-up appeared displaying a cookie:

Vera-XSS-and-Improper-Access-Control_Image-1
As you can see in the screenshot, the cookie contains a VikiSessionId value. This value could be used by an attacker to impersonate another user, such as an administrator.

Improper Access Control

To demonstrate this vulnerability, we first logged in as a user with access to the User Management module. We chose one of the other users in the Users tab and edited their permissions. We removed their permission to access projects by unchecking the checkbox named “Access to all projects”. Then, we clicked on one of the projects in the Projects tab and copied its URL. We saved this URL for later.

Finally, we logged in as the user whose access we removed in the first step. We navigated to the project URL directly by pasting it in the address bar and realized that we were still able to interact with the project. For example, we were able to upload and download project attachments even though our account did not have the permissions to do so.

Vera-XSS-and-Improper-Access-Control_Image-2

Mitigation

Cross Site Scripting (XSS)

Encode User input

To protect the application against cross site scripting, all user input should be encoded when returned to the client. The type of encoding used depends on the context where the input is returned. OWASP has an article on XSS prevention.

Allow only specific input characters

User input fields should only accept characters that are known to be good. This is known as an allowlist approach: only the input values that are explicitly allowed by the server are accepted, and the other ones are rejected. This will prevent attackers from writing code in input fields, which will make it harder for them to exploit cross site scripting bugs. Note that this must be done on the server side, because attackers can bypass all client-side restrictions.

Improper Access Control

Validate Authorization

Access should be properly validated before returning information to the client. The server should make sure that user has the right to view the requested resource before serving it. OWASP also has a cheat sheet on access control.

Conclusion

Vulnerabilities like XSS and Improper Access Control are well known but still very prevalent. However, by using well-known security solutions and following secure development practices, you can avoid vulnerabilities like these and keep your application secure.

These vulnerabilities were assigned CVE-2019-20483 and CVE-2019-20484 respectively and have been disclosed to the vendor following our responsible disclosure process.

If you want to know about another vulnerability affecting Vera, read our previous blog post about a Remote Code Execution vulnerability in version 4.9.1.26180.

Hat tip to Francis Labelle for his assistance in the writing of this blog post.

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

EVENT CALENDAR

LATEST PRESS RELEASE

GOSECURE BLOG

SECURITY ADVISORIES

 24/7 Emergency – (888)-287-5858