SureCloud logo
Talk to sales Get a demo
Toggle Menu
Close Widget
Home > Lorensbergs Connect2 Cross-Site-Scripting

Lorensbergs Connect2 Cross-Site-Scripting

Written By Ibai Castells, SureCloud Cybersecurity Consultant

TL:DR:

  • Cross-site scripting vulnerabilities were found in the wizard editor component of Lorensbergs Ltd. Connect2 booking product.
  • The findings have been released under CVE-2021-43960
  • The vulnerability required administrator privileges to be exploited and affected all users of the application, including other administrators.

Summary

Lorensbergs Connect2 is a software to handle the booking process for student resources and services. The software is affected by a cross-site scripting vulnerability that may allow an attacker to steal end user session cookies, redirect them to malicious websites, capture keystrokes, steal sensitive information and perform other malicious activities which can be performed through injecting client-side JavaScript code in the application.

Affected Products

Lorensbers Ltd’s Connect2 version 3.13.7647.20190. This was the only version available for testing, so other versions were not tested. Other versions could be vulnerable as well.

Technical Details

There is a cross-site scripting (XSS) vulnerability present in the Connect2 software. A user with administrator privileges is able to inject JavaScript into the booking system pages using the Wizard functionality within the application. This affects end users as the payloads are executed throughout the material booking process. The payloads can be injected in all of the Wizard form fields and will trigger if the contents of these form fields are rendered throughout the booking process. The vulnerable form fields are all the ones present on the following:

The exploitation process consists of an administrator populating any of the form fields available through the Wizard functionality with malicious JavaScript code. Once this is done, the Save button is clicked and the payloads will be triggered every time a user loads the corresponding step of the booking process that the edited Wizard corresponds to.

As a basic proof of concept, the consultant first attempted to generate a JavaScript alert using a cross-site scripting (XSS) payload being:

<script>alert(“SureCloud XSS”)</script>

This resulted in an alert being shown to the user once they entered the first step of the material booking process. Seeing as proof of concept was successful, the consultant used other payloads to show the potential impact of this vulnerability.

In the particular instance that the SureCloud consultant tested, it was found that the HttpOnly flag for session cookies was well configured as well as the CORS policy – it was therefore impossible for the consultant to hijack other user sessions through common methods as these were not accessible through client-side code. The consultant was, however, able to redirect users to arbitrary web pages through the payload demonstrated in the above screenshot which could be used for phishing, drive-by attacks and defamation purposes by redirecting users to undesired webpages with the payload shown in the following screenshot.

It should be noted that all users, including administrators, are affected by this issue.

Impact

Since this instance had well configured session cookies with the enabled HttpOnly flag and a strict CORS policy, stealing session cookies through conventional XSS payloads was not feasible. However, using alternative payloads, a malicious actor is able to redirect users to malicious pages where phishing attacks can be performed. Additionally, they can be redirected to pages for drive-by attacks, therefore, infecting the end-users with malware.

Additionally, malicious actors can also use this vulnerability to capture users’ keystrokes by creating a payload that records all keys being pressed by a user and sending the information back to an attacker through HTTP requests to their own web server for example. This could lead to sensitive information being exposed as the booking process may require credit card information to be entered during its last steps to pay for the borrowed materials.

Last words

Loresnbergs Ltd. has chosen not to publicly address this issue. It is unknown whether they have done so privately, so the vulnerable version of Connect2 may still be vulnerable even after the publication of this blog post. Developers and system maintainers are advised to implement their own solutions as a temporary mitigation until Lorensbergs Ltd. releases an update with a fix.

Disclosure time

21/07/2021        Bug Identified

22/07/2021        Lorensbergs Ltd. contacted to request for appropriate contact for disclosure.

16/09/2021        Lorensbergs Ltd. contacted to notify them of the vulnerability

17/11/2021        CVE number requested, granted and reserved

12/01/2022        Vulnerability published via SureCloud’s blog

 

 

 

How can we help?