CVE-2020-9448 – Authenticated Cross-Site Scripting in the Digital Guardian Management Console

DeepCode reported a Cross-Site Scripting vulnerability in the Digital Guardian Management Console on 25th February 2020. The vulnerability results from a lack of input validation in the filtering feature of the “Policies & Rules” menu of the management console.

Vulnerability in Filters

The filtering features of Digital Guardian 7.5.1.0015 are vulnerable to XSS by injecting HTML into the filter input box. These features are available on the Policy Manager webpage available on the management console at /DigitalGuardian/Policies/PolicyManager.aspx. The filtering feature is available on the following pages:
  • Policies & Rules > Control > Policies,
  • Policies & Rules > Control > Rules,
  • Policies & Rules > Control > Component Rules,
  • Policies & Rules > Control > App Management Rules,
  • Policies & Rules > Classification > Policies,
  • Policies & Rules > Classification > User Policies,
  • Policies & Rules > Classification > Component Rules,
  • Policies & Rules > Classification > Content Patterns,
  • Filter > Policies,
  • Filter > Rules,
  • Filter > Component Rules,
  • Trusted Process > Policies,
  • Trusted Process > Rules,
  • Trusted Process > Component Rules,
  • Prompts > Prompts,
  • Prompts > Skins,
  • Lists > Components Lists, and
  • Lists > Feed Lists.
The vulnerability appears to be able to be executable even with the X-Frame-Options and X-XSS-Protection headers are set with restrictive values such as “same-origin” and “1; mode=block“. The following code can be used as a proof-of-concept:
</script><script>document.location="https://www.deepcode.ca/img/desu.jpg"</script>
 
Cross-Site Scripting proof-of-concept for Digital Guardian Management Console
Cross-Site Scripting proof-of-concept for Digital Guardian Management Console in the Filtering Features

PoC Video

Digital Guardian Cross-Site Scripting in Management Console

HTML Injection via Cookie Manipulation

A second vulnerability was identified in the Help section of the console. The Help section of the site uses an old Javascript library allowing users to search for specific topics via keyword searches. When a keyword is found in the text, the JavaScript code reads the value of the ‘rhhlbgcol‘ or ‘rhhltxtcol‘ cookies, which usually contains the HTML hexadecimal colour code for the highlighted text. The Javascript code read the value of this cookie, i.e. #FCFF00 and inserts the value into the HTML of the page directly. For example, a keyword search for “Linux” would generate this sample HTML code:
[...] Install on <font bgcolor="' + "#FCFF00" + '" >Linux</font>  ->>>> Install on <font bgcolor="#FCFF00">Linux</font>
Now the issue is that the Javascript doesn’t properly validate the input of the cookie – which is a value controlled by the client, i.e. I can send any value I want. And since the cookie is injected it HTML, I can send HTML, so sending the PoC results in:
[...] Install on <font bgcolor="' + "#FCFF00' /><iframe src='../favicon.ico'><!--" + '" >Linux</font> ->>> <font bgcolor="#FCFF00' /><iframe src='../favicon.ico'><!--">Linux</font>
The steps to confirm this vulnerability are as follow:
  1. Go to the Help section of Digital Guardian (need authentication): http://dg.target.com/DigitalGuardian/Help
  2. Change the value for cookie ‘rhhlbgcol‘ or ‘rhhltxtcol‘ to “#FCFF00′ /><iframe src=’../favicon.ico’><!–“
  3. Click on the “Search” icon and type in a search term, e.g Linux;
  4. Click on a topic and wait until the highlight function starts; and
  5. The code injected in the cookie will be inserted into the help page.
A video demonstrating this issue is available: Digital Guardian Management Console HTML Injection Vulnerability