Description

The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that is then executed after the user successfully logs in using the link. In addition, an attacker can redirect the user to any URL that they desire, by setting the returnUrl parameter to a malicious URL.

Proof of Concept

To demonstrate the XSS vulnerability, navigate to this PoC link on the demo login page and login using the demo credentials: https://rock.rocksolidchurchdemo.com/page/3?returnurl=javascript%253Aalert(%27xss%27)

An alert box should be displayed, demonstrating that a malicious JS payload is executed.

To demonstrate the open redirect vulnerability, navigate to this PoC link on the demo login page and login using the demo credentials: https://rock.rocksolidchurchdemo.com/page/3?returnurl=https%253A%252F%252Fgoogle.com

You should be redirected to google.com, rather than the appropriate Rock RMS dashboard page.

Impact

It is possible to force a user to perform actions on their behalf, deface the website, or redirect the user to a malicious website. An attacker can also try to steal the user's credentials by redirecting them to a website that the attacker has hosted, that appears to be the Rock login page, and then capturing their credentials, or the attacker can steal the credentials directly from the legitimate Rock website if the session cookie/token is not appropriately protected.