Article

APAK Wholesale Finance XSS

A Cross-Site Scripting (XSS) vulnerability in the “Wholesale Floorplanning Finance” web application allows an attacker to inject JavaScript into the website. This may allow a malicious entity to gain (administrative) access to the application or perform actions on behalf of the victim user. The vulnerability was reported as CVE-2019-17551.

Background

We discovered a security issue in the „Wholesale Floorplanning Finance” web application. It is possible to inject JavaScript code within the “Notes” function of the product due to a lack of sufficient input filtering. An attacker can inject malicious code that will later be executed by legitimate users who open the website. An attacker may perform unauthorized actions on behalf of legitimate users or spread malware via the application.

 

Steps to Reproduce

The application performs limited filtering of XSS and other injection vectors. However, this filtering is based on a blacklist approach and not all payloads are recognized. We were able to use the <marquee> element in combination with an “onbounce” event handler to circumvent the protection. This results in successful stored XSS.

The following pictures show how we were able to exploit the vulnerability.

Root Cause

This issue exists due to insufficient input filtering in the WYSIWYG editor of the “Notes” section. In order to mitigate the issue, we recommend applying input filtering to all input fields and URL parameters in the entire application to ensure that only valid input is processed (this means input filtering for the fields as well as for the field values).

 

Fix

We were able to verify this vulnerability in software versions 6.31.8.3 and 6.31.8.5. However, all versions with the vulnerable WYSIWYG “Notes” section are likely affected.
The vendor was informed of the finding on August 8, 2019. On August 9, 2019 we held a findings call with the vendor, where a patch release was announced to be coordinated. Unfortunately, subsequent communications remained without response.
 

Credit

Credit for finding and reporting the issue:

Andres Rauschecker (Deloitte)