#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Abacus [1]
# Vendor:   Abacus
# CSNC ID:  CSNC-2018-026
# Subject:  Reflected Cross-Site Scripting
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:     26.09.2018
#
#############################################################

Introduction:
-------------
Abacus is an owner-managed Swiss software company that employs around
380 people. For over three decades it has developed successful business
software. [1]

Compass Security discovered a security flaw in Abacus, which allows injecting
client-side code into the application.


Affected (According to vendor):
---------
Vulnerable:
 * v2018 SP 1 and subsequent hot fixes (build versions 2018.201.10342 - 2018.201.10466)

Not vulnerable:
 * v2018 Release-20.02.2018 Servicepack-20.09.2018 [2]
 * v2017
 * v2016


Technical Description
---------------------
Users, are able to specify their own error messages for failed login requests.
These messages can be manipulated to contain JavaScript code, which is
executed in the context of the user's browser when visited.

Request:
https://<IP_address>/oauth/login.html?error=CSNC<script>alert(0)</script>&
login_hint=user


Resulting HTML source code:
<div style="opacity: 0.5275;" aria-live="polite" class="toast toast-info">
<button role="button" class="toast-close-button" type="button">×</button>
<div class="toast-title">Login failed</div><div class="toast-message">
CSNC<script>alert(0)</script></div></div>


Workaround / Fix:
-----------------
This issue can be fixed by properly encoding user-provided input when displayed
back to the user.
Note: currently, some attack vectors will be blocked, since the used
Content-Security-Policy (CSP) prevents 'unsafe-inline' scripts.
Nevertheless, not all browsers do support CSP (e.g., Internet Explorer, if
X-Content-Security-Policy header is not set).


Timeline:
---------
2018-09-26:     Public disclosure
2018-09-24:     Release of service pack 2, addressing the vulnerability
2018-09-11:     Vendor responds that vulnerability will be addressed in the next service pack
2018-09-07:     Vendor responds that vulnerability is being analysed
2018-08-31:     Vendor notification
2018-08-29:     Discovery by Stephan Sekula


References:
-----------
[1] https://www.abacus.ch/de/unternehmen/das-ist-abacus/
[2] https://classic.abacus.ch/downloads-page/servicepacks/version-2018/