Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

rexx Recruitment Cross-Site Scripting in User Registration

in rexx Recruitment’s user registration page during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the rexx Recruitment installation’s domain.

Details

  • Product: rexx Recruitment
  • Affected Versions: Releases prior to those fixed on 2014-01-15
  • Fixed Versions: R6.1 and R7 with fixes from 2014-01-15
  • Vulnerability Type: Cross-Site Scripting
  • Security Risk: high
  • Vendor URL: http://www.rexx-systems.com
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-002
  • Advisory Status: published
  • CVE: CVE-2014-1224
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1224

Introduction

“rexx Recruitment supports around 3 million application processes each year (data from 2011). This stems from experience in applicant management: from company recruitment in small and medium-sized enterprises and international companies, through to specialised personnel service providers.

The rexx Recruitment software supports paper, online and email applications. All information about and communication with the applicant at a glance in the digital applicant file!”

(from rexx systems’ homepage)

More Details

The rexx Recruitment software includes a user registration where job applicants who want to stay informed about new vacancies can register. The registration site is usually available at the path “/reg”, for example at a URL like the following:

http://www.example.com/reg

The website asks for some mandatory data like name and surname as well as postal and email addresses. If a mandatory entry is missing when submitting the data, the website will present the registration site again to the user, with those input fields pre-populated with the data that was already filled in and error messages for the missing input fields. The pre-populated “first name” field with the name “redteam” would for example look as follows in the HTML source code:

<input type="text" style="" id="fname" name="fname" value="redteam" title="" />

If it is now tried to embed control characters like an opening angle bracket in the name, the system filters the input by removing everything after the bracket. The value “red<team” would for example be shortened to “red”.

The application also removes known event handlers from user input, so the input

redteam" onmouseover="alert('RedTeam Pentesting')

is reduced to

redteam" "alert('RedTeam Pentesting')

However, event handler unknown to the application are not removed, so the HTML5 event handler “oninput” is not recognized and can be used to run JavaScript code as soon as a user starts to type in the input field:

redteam" oninput="alert('RedTeam Pentesting')

It is also possible by simply adding the even handler two times to make the application only remove one instance of the string. The input

redteam" onfocusonfocus=="alert('RedTeam Pentesting')" autofocus="autofocus

will be changed to the desired string

redteam" onfocus="alert('RedTeam Pentesting')" autofocus="autofocus

and therefore the input field will look like this:

<input type="text" 
       style=""
       id="fname"
       name="fname"
       value="redteam"
       onfocus="alert('RedTeam Pentesting')"
       autofocus="autofocus"
       title="" />

Proof of Concept

The following URL adds a new “onfocus” event handler to the “fname” input field that gets executed as soon as the website is loaded due to the “autofocus” attribute:

http://www.example.com/reg
  ?fname=redteam"%20onfocusonfocus%3d%3d"alert('RedTeam%20Pentesting')"%20autofocus%3d"autofocus
  &continue.x=
  &continue.y=

Workaround

If possible, disable user registration and disallow access to the registration website, e.g. by blocking access in the web server.

Fix

Update to versions R6.1 or R7 with the fixes from 2014-01-15 included.

Security Risk

The risk of this vulnerability is estimated to be high. Being able to embed arbitrary JavaScript code allows attackers to completely manipulate the website, add their own content and track all user interaction.

Timeline

  • 2013-12-04 Vulnerability identified
  • 2013-12-10 Customer approved disclosure to vendor
  • 2013-12-13 Vendor notified
  • 2014-01-15 Vendor released fixed version
  • 2014-02-11 CVE number requested and assigned
  • 2014-03-27 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.