Document Title: =============== Telekom Prepaid Shop - Multiple Persistent Vulnerabilities Date: ===== 2017-09-04 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2051 Telekom Security ID: 20170407_TLu_04 VL-ID: ===== 2051 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Introduction: ============= https://prepaid.telekom-angebot.de/prepaid/all Abstract: ========= The vulnerability laboratory core research team discovered multiple persistent cross site scripting web vulnerabilities in the official Telekom Angebot Prepaid online service web-application. Report-Timeline: ================ 2017-04-07: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2017-04-08: Vendor Notification (Telekom Cert - Security Department) 2017-04-09: Vendor Response/Feedback (Telekom Cert - Security Department) 2017-07-20: Vendor Fix/Patch (Telekom Service Developer Team) 2017-08-01: Security Acknowledgements (Telekom Cert - Security Department) 2017-09-05: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Telekom AG Product: Prepaid Shop - Online Service (Web-Application) v2017 Q1 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent cross site scripting vulnerabilities has been discovered in the official Telekom Angebot Prepaid online service web-application. The vulnerability typ allows remote attackers to inject own malicious script codes on the application-side of the vulnerable service or affected module. The vulnerability affects the order and payment process in case of issuing an active contract. The vulnerabilities are located in the customer credentials input fields of the prepaid form file. The vulnerability is located in the `Firstane- & Lastname`, `Adress`, `Location` and `Count` input fields of the `/prepaid/form` file POST method request. Remote attackers are able to inject own malicious script codes by usage of the vulnerable ´registration order´ process to manipulate the backend or the frontend of the web-application. The first execution occurs after the temporarily save within the ´Payment or Order Preview´. After that the execute occurs in the ´email notification body´, ´the backend´ and the user front end after registration confirm. The security risk of the cross site scripting web vulnerabilities are estimated as medium with a common vulnerability scoring system count of 4.3. Exploitation of the persistent cross site scripting web vulnerabilities requires no privilege application user account and only low user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context. Request Method(s): [+] POST Vulnerable Function(s): [+] Registration to Order Process Vulnerable File(s): [+] form Vulnerable Parameter(s): [+] First- & Lastname [+] Location [+] Adress [+] Count Affected Module(s): [+] Frontend [+] Backend [+] Outgoing Mail Notify Proof of Concept: ================= The persistent input validation web vulnerabilities can be exploited as cross site scripting issue by remote attackers without privilege web-application user accounts and with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reprodue the vulnerability ... 1. Open the service web-application url to the prepaid shop 2. Choose the order categories 3. Submit the request Note: Now the user is redirected to the registratio/order form 4. Inject test payloads to the vulnerable marked input fields 5. Save the content via form via POST request to confirm 6. The execute occurs visible in the preview of the order credentials issued via telekom to the main dbms 7. Successful reproduce of the vulnerability! Note: Please preview as well the contract email notification after confirm and the backend were the data is permanently displayed. Both are not securly sanitized via parse mechanism or filter procedure. PoC: Vulnerable Source (Execution Point) - First- & Lastname