Source: PSIRT-CNA@flexerasoftware.com
Multiple cross-site scripting (XSS) vulnerabilities in The Address Book 1.04e allow remote attackers to inject arbitrary web script or HTML via Javascript events in the (1) email, (2) websites, and (3) groupAddName parameters in (a) save.php; the (4) errorMsg parameter in (b) index.php; and the (5) goTo and (6) search parameters in (c) search.php.
The Address Book 1.04e suffers from multiple cross-site scripting (XSS) vulnerabilities, enabling attackers to inject malicious code into web pages viewed by legitimate users. This allows for account hijacking, session theft, and defacement, potentially leading to a complete compromise of the application and sensitive user data. The vulnerabilities stem from inadequate input validation and output encoding, making the application susceptible to crafted payloads.
Step 1: Payload Delivery: The attacker crafts a malicious URL or form submission containing a JavaScript payload within vulnerable parameters (e.g., email, website, groupAddName, errorMsg, goTo, search).
Step 2: Request Submission: The attacker sends the crafted URL or submits the form to the vulnerable The Address Book application.
Step 3: Server Processing: The application receives the request and processes the input, including the attacker's payload.
Step 4: Insufficient Sanitization: The application fails to properly sanitize the attacker's input, leaving the malicious JavaScript intact.
Step 5: Output Generation: The application generates an HTML response that includes the attacker's unsanitized input.
Step 6: Browser Rendering: The user's web browser receives the HTML response and renders it.
Step 7: Payload Execution: The browser executes the attacker's JavaScript payload, as it is treated as valid code within the context of the page, leading to XSS.
The root cause of the vulnerabilities lies in the lack of proper input validation and output encoding within several PHP scripts of The Address Book 1.04e. Specifically, the application fails to sanitize user-supplied data before displaying it in the browser. This allows attackers to inject malicious JavaScript code into parameters like email addresses, website URLs, group names, error messages, search queries, and navigation targets. When a user views a page containing the injected code, the browser executes the script, enabling the attacker to perform actions on behalf of the user, such as stealing cookies, redirecting to phishing sites, or defacing the website. The flaw is a classic example of a reflected XSS vulnerability, where the malicious payload is delivered via a crafted URL or form submission. The absence of input sanitization and output encoding (e.g., HTML entity encoding) allows the attacker to bypass security measures and inject arbitrary HTML and JavaScript.
While no specific APT groups are directly linked to this vulnerability, its simplicity and ease of exploitation make it a potential target for various threat actors, including script kiddies and opportunistic attackers. The vulnerability could be used as a stepping stone for more sophisticated attacks. Not listed on CISA KEV.
Network traffic analysis: Examine HTTP requests for suspicious parameters containing JavaScript code (e.g., <script>, onerror, onload).
Web server logs: Monitor web server logs for unusual URL patterns or form submissions that include potentially malicious JavaScript payloads.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and configure IDS/IPS rules to detect XSS attempts based on known patterns and signatures.
Content Security Policy (CSP) violations: Monitor for CSP violations, which can indicate XSS attempts.
Upgrade: Upgrade to a patched version of The Address Book or a more secure alternative. Since the software is old, this might not be possible. Consider removing the software entirely.
Input Validation: Implement robust input validation to sanitize all user-supplied data. This includes filtering out or encoding special characters that can be used to inject HTML or JavaScript.
Output Encoding: Implement output encoding (e.g., HTML entity encoding) to escape special characters before displaying user-supplied data in the browser.
Content Security Policy (CSP): Implement a Content Security Policy (CSP) to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.
Web Application Firewall (WAF): Deploy a WAF to filter malicious traffic and block XSS attempts.