ID |
Product |
Version |
Vulnerability |
SUID-2019-00002
|
Scytl Secure Vote (sVote)
|
2.1
|
XSS
|
*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.
Description
Looking at the following file it is possible to observe potentially unsafe practices (
source-code\online-voting-channel\ov-commons\ov-commons-correctness\src\main\java\com\scytl\products\ov\commons\correctness\builder\attributes\ContestCorrectionBuilder.java
):
public void generateCorrectnessCode(StringBuilder sb) {
Set> entrySet = questions.entrySet();
for (Entry entry : entrySet) {
sb.append("result = function (subSelection, callbackFunction) {");
sb.append("var partialResult = true;");
sb.append("var selectionName = '").append(contestId).append("';");
sb.append("var attributeName = '").append(entry.getKey()).append("';");
sb.append("var max = ").append(entry.getValue().intValue()).append(";");
sb.append("var count = 0;");
The line sb.append("var selectionName = '").append(contestId).append("';"); appends an ID without validating it.
The whole function gets called here:
public ContestCorrectionBuilder(String contestId, AttributesCorrectnessBuilder attributesCorrectnessBuilder) {
this.contestId = contestId;
this.attributesCorrectnessBuilder = attributesCorrectnessBuilder;
}
None of the calls are escaped. Which means that somebody that gets access to a context object can inject dynamic js code and for example redirect to shady sites or steal cookies.
A safe example would be using a js array and converting it to a string or escaping the provided strings.
The contestId was, however never user-controlled and thus not directly vulnerable.
Further iterations might reuse code or implement unsafe coding practices which render the vulnerability exploitable.
Timeline
Date |
Event |
February 08 2020
|
Submitted issue to vendor
|
February 18 2020
|
Vendor acknowledged the issue
|
Credits
Name |
Team |
Anthony Schneiter
|
SUID
|
Jannis Kirschner
|
SUID
|