entry.picoevents.ch - Persistent XSS Attack (#mvid8)

Document Title:
entry.picoevents.ch - Persistent XSS Attack

mosi Vulnerability ID (mvid):

Discovery Status:
Vendor informed

CVSSv2 Overall Score:

CVSSv2 Vector:

Product & Service Introduction:
picoEvents provides an online registration and live result service to simplify the timekeeping in orienteering combined with SPORTident.

Namo Flury found a persistent cross site scripting vulnerability in the registration form of a competition by changing a value in the input fields to javascript code.

Report Timeline:
2017-06-19: Analysis of server attack requested by vendor
2017-06-19: Vulnerability detected
2017-06-19: Vendor informed
2017-08-14: Vendor reminded
2017-08-15: Vendor requested more information
2017-09-07: Vendor asked for more time (granted)
2017-09-12: Vendor provided patch
2017-09-12: Patch rejected by mosi security research (not working)
2017-09-25: Vendor asked for more time (granted)
2017-10-03: Vendor released patch
2017-10-03: Patch approved by mosi security research
2017-10-03: Public Disclosure

Affected Products:
picoEvents entry form

Exploitation Technique:
Persistent XSS

Security Level:

Technical Details & Description:
Vulnerable Modules:
[+] http://www.picoevents.ch/entry/regist/anmeldung2.php

Vulnerable Parameter(s):
[+] Name
[+] Vorname
[+] Jahrgang
[+] Wohnort
[+] Club

Proof of Concept (PoC):
It was possible to add the javascript command "<script>alert("xss");</script>" into the form field "Club". The command was successfully executed on the client.

Possible Solution:
Input escaping/validating

Security Risk:
Medium with high exploitability (CVSSv2 6.2)

Author / Credits:
mosi security research - Namo Flury (Researcher)
mosi security research - Simon Monai (Author) (http://jongliertricks.ch/kontakt)

Public Disclosure:
2017-10-03 - https://jongliertricks.ch/mosi-security-research/42