Article

Cross-Site Scripting in Planon

A DOM Based Cross-Site Scripting vulnerability in Planon before Live Build 41 allows malicious users to inject JavaScript code in the DOM (Document Object Model), which is afterwards executed on the client side. It may be used by the attacker to steal privileged sessions on the web application and therefore gain high-privileged access. The vulnerability was reported as CVE-2018-18570.

Background

The Planon web application is vulnerable to DOM based Cross-Site Scripting (XSS). It is possible to inject JavaScript code in the DOM (Document Object Model), which gets executed on the client side.

Example of a location where DOM based XSS is possible: /wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html

Steps to Reproduce

By inspecting the JavaScript code of the nodata.html file, we identified an unfiltered “nodatamsg” parameter:

var query = window.location.search.substring(1);
var parms = query.split('&');
var val = parms[i].substring(pos+1);
qsParm[key] = val;
var text = decodeURIComponent(qsParm['nodatamsg']);
document.getElementById('noDataToDisplayLabel').innerHTML = text;

An error message can therefore be displayed by calling the following URL:
/wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html?nodatamsg=Test

As the <script> tag is filtered, we were not able to directly use a script command in the “nodatamsg” parameter. However, we were able to bypass the security mechanism with the following payload:

The final URL including the payload is therefore

/wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html?nodatamsg=<style onload="alert('Deloitte XSS')"></style>

Root Cause

It is recommended that all user input on all pages is subject to rigorous sanitization routines before it is accepted by the application. More specifically, user input data validation should be performed on the server-side, as client-side validations can easily be bypassed.

Fix

The issue was fixed in Planon Live Build 41, released on January 10th 2019.

Credit

Credit for finding and reporting the issue:

Florian Otterbein

Ihre Ansprechpartner

Peter J. Wirnsperger

Partner | Government & Public Services

pwirnsperger@deloitte.de

+49 40 320804675

Peter Wirnsperger leitet den Bereich Civil Government und ist als Mitglied des Führungsteams von Risk Advisory verantwortlich für die Themen strategische Entwicklung und Innovation. Er ist seit 2003 b... Mehr

Christian Duewel

Director

cduewel@deloitte.de

+49 40 320804138

Christian ist Director im Bereich Cyber Defense und Managed Security Service mit mehr als 25 Jahren umfassender praktischer Erfahrung im Bereich Cybersicherheit. Sein Fokus liegt auf der Entwicklung u... Mehr

Audit & Assurance

Risk Advisory

Tax

Legal

Financial Advisory

Consulting

Deloitte Private (Mittelstand)

Spotlight

Sustainability & Climate

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Jobsuche

Berufserfahrene

Studierende

Karriere bei Deloitte

Schüler:innen

Absolvent:innen

Cross-Site Scripting in Planon

Background

Steps to Reproduce

Root Cause

Fix

Credit

Ihre Ansprechpartner

Peter J. Wirnsperger

Partner | Government & Public Services

Christian Duewel

Director

Auch interessant

Cross-Site Scripting in Planon

Background

Steps to Reproduce

Let’s make this work.

Root Cause

Fix

Credit

Ihre Ansprechpartner

Partner | Government & Public Services

Director

Auch interessant