Pasar al contenido principal

2014-001: Reflected XSS vulnerability in Boxcryptor

2014-001: Reflected XSS vulnerability in Boxcryptor

Original release date: February 4, 2014
Last revised: February 4, 2014
Discovered by: Vicente Aguilera Díaz
Severity: 4.3/10 (CVSSv2 Base Scored)

BACKGROUND

Boxcryptor is an easy-to-use encryption software optimized for the cloud. It allows the secure se of cloud storage services without sacrificing comfort.

Boxcryptor supports all major cloud storage providers (such as Dropbox, Google Drive, Microsoft SkyDrive, SugarSync) and supports all the clouds that use the WebDAV standard (such as Cubby, Strato HiDrive, and ownCloud).

DESCRIPTION

Has been detected a XSS vulnerability in www.boxcryptor.com. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.

Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
These scripts can even rewrite the content of the HTML page.

PROOF OF CONCEPT

Next, we show a typical request to save changes in "My Account" option:

                     POST /app/user/modify/<userid> HTTP/1.1
                     Host: www.boxcryptor.com
                     ...
                    firstname=<firstname>&lastname=<lastname>&username=<email>&_newsletter=

                    where:
                       -  is a numeric user ID generated by boxcryptor
                       -  is the firstname specified by the user
                       -  is the lastname specified by the user
                       -  is the email address specified by the user

                   A malicious user can inject arbitrary HTML/script code in the <email> parameter.
                   For example:

                   POST /app/user/modify/3805739018726483071 HTTP/1.1
                   Host: www.boxcryptor.com
                   ...
                   firstname=John&lastname=Smith&username=johnsmith@gmail.com<h1> </h1><center>This+is+a+XSS+example</center>&_newsletter=
               </email></email></lastname></firstname></userid></email></lastname></firstname></userid>

When a user search an image, generates a link as the following:

https://www.google.com/url?sa=i&url=https%3A%2F%2Felpais.com%2Felpais%2F2017%2F02%2F13%2Fciencia%2F1486986287_013868.html&psig=AOvVaw32qmRyOt4_pkNDMqoVlPeb&ust=1583227169251000&source=images&cd=vfe&ved=0CAIQjRxqFwoTCOjR6_m6--cCFQAAAAAdAAAAABAE

The "url" parameter is not properly validated, so an open redirect can be exploited through this parameter.

Only this parameter is mandatory, so we can exclude some parameters in the GET request because not affect the expected results:

https://www.google.com/url?&url=

How to reproduce the vulnerability:

1. Select the malicious URL
For example:
https://www.isecauditors.com

2. Create the URL redirection to avoid the Google alert message

https://translate.google.com/translate?sl=auto&tl=en&u=

For example:

https://translate.google.com/translate?sl=auto&tl=en&u=www.isecauditors.com

3. Encode the URL redirection

For that, we can use some service as "https://meyerweb.com/eric/tools/dencoder/".

For example:

https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com

4. Create the final URL without Google alert

https://www.google.com/url?sa=i&url=https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser. This can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

SOLUTION

-

REVISION HISTORY

February 4, 2014: Initial release

DISCLOSURE TIMELINE

  • February 4, 2014: Discovered by Internet Security Auditors
  • February 6, 2014: Contact with the developer team
  • February 10, 2014: Confirmed by vendor
  • February 10, 2014: Vendor deployed a new version
  • February 13, 2014: Internet Security Auditors release the advisory

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.