exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

perfact::mpa Open Redirect

perfact::mpa Open Redirect
Posted Mar 1, 2016
Authored by Matthias Deeg, Sven Freund | Site syss.de

The SySS GmbH found out that the web application perfact:mpa accepts user-controlled input via the URL parameter "redir" that can be used to redirect victims to an arbitrary site which simplifies so-called phishing attacks.

tags | exploit, web, arbitrary
SHA-256 | 1240006c91f037df38cbcd2cbcc641d8f0ac32f2445fa4d65f159730f692deb7

perfact::mpa Open Redirect

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-073
Product(s): perfact::mpa
Manufacturer: PerFact Innovation GmbH & Co. KG
Affected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2
Tested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2
Vulnerability Type: URL Redirection to Untrusted Site (CWE-601)
Risk Level: Low
Solution Status: Fixed
Manufacturer Notification: 2015-12-18
Solution Date: 2016-01-18
Public Disclosure: 2016-02-29
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software solution perfact::mpa is a software architecture that, for
instance, is used to build web applications for the secure and reliable
remote maintenance of machines via the Internet (see [1]).

According to the manufacturer, remote control software built with
perfact::mpa impresses through the following features:

* location-independent and central monitoring,
* maintenance and error management,
* authorized remote access, and
* integrated documentation of incidents and services.

The web application perfact::mpa uses attacker-controlled input to
redirect a user to another site (open redirect).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that the web application perfact:mpa accepts
user-controlled input via the URL parameter "redir" that can be used to
redirect victims to an arbitrary site which simplifies so-called
phishing attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL redirects a user to the web site of the SySS GmbH:

https://<HOST>/<PATH>/MPA2/i18n_lang_id?lang_id=1&redir=https://www.syss.de

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the PerFact Innovation GmbH & Co. KG, the
described security issue has been fixed in PerFact DB_Utils (toolkit)
software version 3.2.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-18: Vulnerability reported to manufacturer
2016-01-18: Response from manufacturer with detailed information about
the reported security vulnerability and its solution status
2016-02-05: E-mail to manufacturer according two open questions
2016-02-05: Response from manufacturer with further information
2016-02-29: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for perfact::mpa
https://perfact.de/mpa/index_html
[2] SySS Security Advisory SYSS-2015-073
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-073.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg and Sven Freund
of the SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW0/AUAAoJENmkv2o0rU2rDrIP/j3TIOlTm5kG+NYvD0VIfMy6
qwkMjJv9zqRBtm3Xd2rMs25N9NQqg5/YhTsrs0nkGsSbX+Iy8TrkGRm6dOgUlS/F
u3ZQmGq2jUXmlGkmfkSg7HNn7Cv3mBhTjmt2v1DxngL7fo71oph0e3vhsDI/TEx3
wcTZrjcz7ovOxS1GQpm1Q89FCphxpUy+Di0RDIbKVe77zhpWSBllq132cGNrFhIS
yWmQlCtiUCMggca73p6L3Bzs1RztpyN2ixnR27KqOi+M6NfnBWmCiUoTdfjekOrF
levCy0ZMvRbZo3bwKz+wBgxaB71fd2j7SbUX/GWTAbX9mpghytwV/CpjIzgdoSmJ
i+IWTKyZ/3+2i8kx6ykvb/syr8Qfjpcjp+fETzPkZuN2c2A8j/amdfXFdMOCmgDe
ajnYC7BkTHAY1vH5XqPnV9ngZZF3BRRDfi9DmbmGbDJTM3yXjCNaHPnHbHMATdxw
NZqLydKWEmH+in5U8V5dgzYtnJEMxqFLEsmRky6I/mze/qTfXl3DEdRP7oOEhkMF
wnu+JPFJD7SDV0qkFvxM8Glo5DKXPIMPColZDYBi7OeOpBK0RA7F19xRCFmmcuP9
J2SKf8N+VKTXYnxbUdcW6VwJ2hM0/b/+LLfc4EaAFD8EN46Ls2uXhgyeQjZzN/TA
idv5YOP60cFc3xB2FWuV
=5w5A
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close