Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

We discovered a stored cross site scripting (XSS) vulnerability on Vera, a platform for online proofing and custom workflows used in the printing industry. An authenticated user could leverage the last name field in the User module of the system to execute a stored cross site scripting vulnerability. Furthermore, an Improper Access Control vulnerability was discovered in the projects module where a user could view and download project related documents without the proper permissions. The vulnerable version is Vera – 4.9.1.26180.
Vera-XSS-and-Improper-Access- Control_Thumb
Vera-XSS-and-Improper-Access- Control_Thumb
We discovered a stored cross site scripting (XSS) vulnerability on Vera, a platform for online proofing and custom workflows used in the printing industry. An authenticated user could leverage the last name field in the User module of the system to execute a stored cross site scripting vulnerability. Furthermore, an Improper Access Control vulnerability was discovered in the projects module where a user could view and download project related documents without the proper permissions. The vulnerable version is Vera – 4.9.1.26180.

Impact

An attacker could leverage the cross-site scripting vulnerability to conduct an attack against a user and gain access to sensitive information such as their cookie. The attacker could take over the accounts of other users and execute actions in their name.

The improper access control vulnerability could be leveraged by a malicious user to access sensitive project related documents and upload content to a project that they should not have access to.

Technical Analysis

Cross Site Scripting

In order to exploit this vulnerability, we logged in as a user on the website where the application was hosted. This user had access to the User Management module. Then, we clicked on the Users tab in the menu bar and edited another user’s details. We changed the last name of this user to an XSS payload:

<img src="" onerror=" alert(document.cookie)"/>

This is just a simple payload to demonstrate our ability to execute arbitrary JavaScript code. The payload will open a pop-up window that displays the cookie of the user being attacked.

To trigger the payload, we clicked on that user’s details page and as expected, a pop-up appeared displaying a cookie:

Vera-XSS-and-Improper-Access-Control_Image-1
As you can see in the screenshot, the cookie contains a VikiSessionId value. This value could be used by an attacker to impersonate another user, such as an administrator.

Improper Access Control

To demonstrate this vulnerability, we first logged in as a user with access to the User Management module. We chose one of the other users in the Users tab and edited their permissions. We removed their permission to access projects by unchecking the checkbox named « Access to all projects ». Then, we clicked on one of the projects in the Projects tab and copied its URL. We saved this URL for later.

Finally, we logged in as the user whose access we removed in the first step. We navigated to the project URL directly by pasting it in the address bar and realized that we were still able to interact with the project. For example, we were able to upload and download project attachments even though our account did not have the permissions to do so.

Vera-XSS-and-Improper-Access-Control_Image-2

Mitigation

Cross Site Scripting (XSS)

Encode User input

To protect the application against cross site scripting, all user input should be encoded when returned to the client. The type of encoding used depends on the context where the input is returned. OWASP has an article on XSS prevention.

Allow only specific input characters

User input fields should only accept characters that are known to be good. This is known as an allowlist approach: only the input values that are explicitly allowed by the server are accepted, and the other ones are rejected. This will prevent attackers from writing code in input fields, which will make it harder for them to exploit cross site scripting bugs. Note that this must be done on the server side, because attackers can bypass all client-side restrictions.

Improper Access Control

Validate Authorization

Access should be properly validated before returning information to the client. The server should make sure that user has the right to view the requested resource before serving it. OWASP also has a cheat sheet on access control.

Conclusion

Vulnerabilities like XSS and Improper Access Control are well known but still very prevalent. However, by using well-known security solutions and following secure development practices, you can avoid vulnerabilities like these and keep your application secure.

These vulnerabilities were assigned CVE-2019-20483 and CVE-2019-20484 respectively and have been disclosed to the vendor following our responsible disclosure process.

If you want to know about another vulnerability affecting Vera, read our previous blog post about a Remote Code Execution vulnerability in version 4.9.1.26180.

Hat tip to Francis Labelle for his assistance in the writing of this blog post.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

No upcoming events.

DERNIER COMMUNIQUÉ DE PRESSE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858