It's been a long time since I write down some write up on this blog. so in this article I will show you this simple vulnerability that I found in Clause which allow me to add malicious code and make a changes on email notifications when requesting a signature for other users/victims in Clause (clause.io).
The vulnerability was found on the First and Last name input when requesting a signature for a contact which can be seen on both the attacker and victims email notification after the request was made.
So long story short, I reported the vulnerability directly thru their bug bounty program they are running although and here's the report timeline and proof of concept below.
--Proof of Concept--
1. Go to https://clausestaging.com/contracts
2. Click Create New Contract
3. Click the "Add Signatory" button
4. In the First and Last Name input the payload
Payload I used in my test
First Name: <font color="green">test green text</font><br /><img src="http://evanricafort.com/profile.png">
Last Name: <a href="http://example.com/">click here</a>
5. Input your email address
6. Add Signatory
7. Click "Request Signatures" in the upper right corner of the page
8. Click "Continue"
9. Check your email and see the result.
Report Title: Vulnerability Issue (HTML Injection in Email Notifications)
Reported: Apr 23, 2019, 5:41 AM
First Response: Tue, Apr 23, 3:35 PM
Hi Evan,Confirmation Response: Apr 23, 2019, 10:53 PM
Thank you for your vulnerability disclosure.
We have confirmed that the issue that you describe is valid and the issue has been assigned to our engineering team for further investigation.
In order for this disclosure to qualify under the Clause Vulnerability Disclosure Program, please confirm that you agree to the terms at https://clause.io/security
We will respond to you within 7 days with an update on this issue.
Thank you very much for your confirmation, Evan.
Yes, this issue is expected to result in a bounty. We have scored this vulnerability under CVSS as 5.4 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Once the engineering team have confirmed, I will provide guidance for claiming your bounty.
Out of interest, where did you hear about our vulnerability program, please?
Our engineering team have completed their investigation of this issue and will release a fix in the next 48 hours.We have determined that this report is eligible for a $250 bounty.To claim your bounty can you please send a PayPal invoice to firstname.lastname@example.org through the link belowhttps://www.paypal.com/signin/?returnUri=%2Finvoice%2FcreateI will respond separately to confirm that that the issue has been resolved.Congratulations on your award. I wish you good luck with your future research,
MattDisclosure Agreement: Wed, Jul 17, 11:18 PM
Yes, we are happy for you to make a public disclosure, however, I kindly ask that you share a copy of your write-up with us 72 hours before you publish.
I hope you enjoy this write up. have a great day!
“Instead of worrying about what you cannot control, shift your energy to what you can create.”
Roy T. Bennett, The Light in the Heart