entry.picoevents.ch - Persistent XSS Attack (#mvid8)

Document Title:
===============
entry.picoevents.ch - Persistent XSS Attack


mosi Vulnerability ID (mvid):
===============
8


Discovery Status:
=============
Vendor informed


CVSSv2 Overall Score:
===============
6.2


CVSSv2 Vector:
==============
(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:L/TD:M/CR:H/IR:M/AR:M)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C/CDP:L/TD:M/CR:H/IR:M/AR:M)


Product & Service Introduction:
==============
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.
http://picoevents.ch/


Abstract:
==============
Namo Flury found a persistent cross site scripting vulnerability in the registration form of a competition by changing a value in the input fields to javascript code.


Report Timeline:
==============
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-08-14: Vendor reminded
2017-08-15: Vendor requested more information
2017-09-07: Vendor asked for more time (granted)
2017-09-12: Vendor provided patch
2017-09-12: Patch rejected by mosi security research (not working)
2017-09-25: Vendor asked for more time (granted)
2017-10-03: Vendor released patch
2017-10-03: Patch approved by mosi security research
2017-10-03: Public Disclosure


Affected Products:
=============
picoEvents entry form


Exploitation Technique:
=============
Persistent XSS


Security Level:
=============
Medium


Technical Details & Description:
=============
Vulnerable Modules:
[+] http://www.picoevents.ch/entry/regist/anmeldung2.php

Vulnerable Parameter(s):
[+] Name
[+] Vorname
[+] Jahrgang
[+] Wohnort
[+] Club


Proof of Concept (PoC):
=============
It was possible to add the javascript command "<script>alert("xss");</script>" into the form field "Club". The command was successfully executed on the client.


Possible Solution:
============
Input escaping/validating


Security Risk:
============
Medium with high exploitability (CVSSv2 6.2)


Author / Credits:
============
mosi security research - Namo Flury (Researcher)
mosi security research - Simon Monai (Author) (http://jongliertricks.ch/kontakt)


Public Disclosure:
============
2017-10-03 - https://jongliertricks.ch/mosi-security-research/42


----------------------------
https://jongliertricks.ch/mosi-security-research