|Advisory Name||:||Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4|
|Application||:||BES12 version 12.4 and earlier|
|Discovered by||:||Nicodemo Gawronski
|Vendor Status||:||Resolved in April 2016 Blackberry Update available from http://web.blackberry.com/support/business/bes-support/bes-support-downloads.html|
Reflected Cross-Site-Scripting (Reflected XSS)
Two instances of Reflected Cross-Site-Scripting were discovered on the affected software.
Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).
Two parameters on the “admin/settings/redirect.do” and “admin/user/userDetails.do” of the BES12 web server were found to be vulnerable to Reflected Cross-Site Scripting (XSS).
This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:
- Stealing access credentials from a targeted user as that user logs in
- Stealing an access token from a targeted user as that user logs in
- Displaying a malicious or political message to the user
Steps to reproduce the vulnerability:
- Log in to the BES12 Server.
- Access the following URLs:
This is a simplistic payload which will simply display a pop up message warning the users that the page is vulnerable; however a more advanced payload could easily be generated to perform actions as discussed above.
The vendor has patched the XSS issues in the April 2016 Software Update. Sec-1 would like to thank Blackberry for their prompt and professional response.