Reflected XSS Vulnerabilities in SIS Informatik - Rewe Go

Title

Reflected Cross-site Scripting Vulnerability

Product

SIS Informatik - REWE GO

Vulnerable Version

7.5.0/12C

Fixed Version

7.7 SP17

CVE Number

CVE-2021-31537

Impact

medium

Found

12.02.2021

By

Steffen Robertz, Florian Lienhart (Office Vienna)

The bookkeeping software REWE by SIS Informatik is affected by multiple reflected cross-site scripting vulnerabilities on the login screen. Hence, an attacker is able to execute arbitrary JavaScript code in the browser of the victim.

 

Vendor description

"SIS Informatik is your specialist for the conception and implementation of tailor-made accounting, business intelligence and corporate performance management solutions. In addition to technical competence, business know-how and the willingness to develop optimal, adaptable software solutions together with our customers are the central components that make us a strong partner. We develop solutions based on high-quality technologies from well-known partners such as IBM, Oracle and Qlik" (translated from German)

Source: https://sisinformatik.com/unternehmen/

 

Business recommendation

The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues.

 

Vulnerability overview/description

1) Multiple Reflected Cross-Site Scripting (XSS) (CVE-2021-31537)

The login website returns unfiltered or unescaped user input. This leads to a reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary HTML or JavaScript code into the victim's web browser. Once the victim clicks on a malicious link, the attacker's code is executed in the context of the victim's web browser.

 

Proof of concept

1) Multiple Reflected Cross-Scripting (XSS) (CVE-2021-31537)

When opening the following URL the supplied JavaScript code will be executed.

/rewe/prod/web/index.php?config=rewe2%22%3E%3Cscript%3Ealert(%22document.domain%22)%3C/script%3E&version=7.5.0&win=2707&user=test&pwd=test&db=test&continue=false

The affected parameters are: "config", "version", "win","db", "pwd", and "user".

No valid parameters need to be supplied to trigger the XSS vulnerability as seen in following URL:

/rewe/prod/web/index.php?abc'-alert(%22document.domain%22)-'abc=1

The following URL is affected as well:

/rewe/prod/web/rewe_go_check.php?config=rewe&version=7.5.0%3cscript%3ealert(1)%3c%2fscript%3e&win=2707

All parameters are affected.

 

Vulnerable / tested versions

The following product/firmware version has been tested:

  • SIS-REWE GO 7.5.0/12C

 

Vendor contact timeline

2021-02-24 Contacting vendor through office@sisworld.com; no reply.
2021-03-11 Contacting vendor again through office@sisworld.com.
2021-03-15 Vendor requests more information. SEC Consult offered to provide advisory via encrypted or unencrypted mail.
2021-03-17 Sending advisory via PGP encrypted mail.
2021-03-21 Vendor confirmed the vulnerability and is working on a patch.
2021-04-12 Requested status update.
2021-04-16 Hot fix 7.7 SP16 available in week 16, next release 7.7 SP17 in week 18.
2021-05-11 Coordinated release of security advisory.

Solution

Contact the vendor in order to install the security patch for release 7.7 SP16 or upgrade to release 7.7 SP17. More information has been provided to customers of the vendor in a newsletter.

Workaround

None

 

EOF Steffen Robertz, Florian Lienhart / @2021