=== LSE Leading Security Experts GmbH - Security Advisory 2014-05-22 === F*EX (Frams' Fast File EXchange) - Multiple Issues - - --------------------------------------------------------------------- Affected Versions ================= F*EX (Frams' Fast File EXchange) 20140313-1 as shipped with debian, version fex-20140530 and later are not affected. Issue Overview ============== Technical Risk: medium Likelihood of Exploitation: high Vendor: Universitt Stuttgart Vendor URL: http://fex.rus.uni-stuttgart.de/ Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-22.txt Advisory Status: Public CVE-Number: CVE-2014-3875, CVE-2014-3876, CVE-2014-3877 Impact ====== It is possible to attack user sessions and to execute JavaScript in another users browser. This might enable an attacker to gain access to files which are intended for other users of the platform. Issue Description ================= While conducting an internal evaluation of the software, LSE Leading Security Experts GmbH discovered multiple, remotely exploitable issues with F*EX. 1) HTTP Response splitting in rup CVE-Number: CVE-2014-3875 When inserting encoded newline characters into a request to rup, additional HTTP headers can be injected into the reply, as well as new HTML code on the top of the website. - ----------------8<------------- $ nc 127.0.0.1 8888 GET /rup?akey=test%0d%0a%0d%0aHELLO HTTP/1.0 HTTP/1.1 200 OK X-Message: OK Server: fexsrv Expires: 0 Cache-Control: no-cache X-Frame-Options: SAMEORIGIN Set-Cookie: akey=test HELLO; Max-Age=9999; Discard Content-Type: text/html; charset=UTF-8 <html> <head> ... - ----------------8<------------- The same attack is possible using a POST request. 2) Cross-Site-Scripting issue in rup CVE-Number: CVE-2014-3876 The parameter akey is reflected unfiltered as part of the HTML page. Some characters are forbidden in the GET parameter due to filtering of the URL, but this can be circumvented by using a POST parameter. Nevertheless, this issue is exploitable via the GET parameter alone, with some user interaction. Opening the following URL opens a popup window, when the cursor moves over the back link on the bottom of the page: http://127.0.0.1:8888/rup?akey=foo" onmouseover=alert(1) bar=" - ----------------8<------------- <p> <a href="/foc?akey=wow" onmouseover=alert(1) foo="">back to F*EX operation control</a> </body></html> - ----------------8<------------- 3) Cross-Site-Scripting issue in fup CVE-Number: CVE-2014-3877 The parameter addto is reflected only slightly filtered back to the user as part of the HTML page. Some characters are forbidden in the GET parameter due to filtering of the URL, but this can be circumvented by using a POST parameter. Nevertheless, this issue is exploitable via the GET parameter alone, with some user interaction. Opening the following URL opens a popup window, when the cursor moves over the recipient entry field: http://127.0.0.1:8888/fup?addto=%22onmouseover=alert%281%29;bar=%22 - ----------------8<------------- <tr title="e-mail address or alias"><td>recipient(s): <td><input type="text" name="to" size="96" value=""onmouseover=alert(1);bar=""><br> </tr> - ----------------8<------------- 4) Cross-Site-Scripting issue in fuc CVE-Number: CVE-2014-3876 The POST parameter disclaimer is reflected back to the user as part of the HTML page. Setting the disclaimer POST parameter in the change disclaimer operation (http://127.0.0.1:8888/fuc? disclaimer=CHANGE&akey=2409d2a55e5acfa407929fb10cb8335f) to the following value - ----------------8<------------- '"><script>alert(1)</script> - ----------------8<------------- will results in the following HTML code, which opens a popup window: - ----------------8<------------- <pre> '"><script>alert(1)</script> </pre> <p> - ----------------8<------------- An additional attack is possible using the gm POST parameter, by setting it to malicious HTML code and supplying a GET parameter group. It looks like other values might be affected as well, since only limited filtering is performed in the CGI parameter evaluation. Temporary Workaround and Fix ============================ LSE Leading Security Experts GmbH advises to deactivate F*EX until the vendor publishes a complete fix. LSE Leading Security Experts GmbH recommends to implement proper filtering mechanisms for all parameters and the implementation of proper output encoding before reflecting values back to the user. 1) HTTP Response splitting in rup - --- rup.orig 2014-05-23 08:50:01.558808000 +0200 +++ rup 2014-05-23 08:55:03.182808000 +0200 @@ -35,6 +35,7 @@ foreach my $v (param) { $vv =~ s/[<>]//g; if ($v =~ /^akey$/i) { $vv =~ s:[/.]::g; + $vv =~ s/[\W]//g; $akey = untaint($vv); } elsif ($v =~ /^(from|user)$/i) { $from = normalize_address($vv); 2) Cross-Site-Scripting issue in rup The patch from 1) is sufficient to fix this issue as well. 3) Cross-Site-Scripting issue in fup - --- fup.orig 2014-05-23 09:26:12.514808000 +0200 +++ fup 2014-05-23 09:26:53.794808000 +0200 @@ -2551,7 +2551,7 @@ sub setparam { $replyto = untaint($replyto); } elsif ($v eq 'ADDTO') { $vv =~ s/\s.*//; - - $vv =~ s/[<>]//g; + $vv =~ s/[<>"']//g; $addto = untaint(lc($vv)); # if checkaddress($vv); } elsif ($v eq 'SUBMIT') { $submit = $vv; 4) Cross-Site-Scripting issue in fuc No workaround from LSE. All parameters need to be filtered properly and HTML encoded when reflected back to the user. History ======= 2014-05-22 Issue discovered 2014-05-23 Issue reported 2014-05-23 Vendor reply 2014-05-26 Internal test version supplied by vendor 2014-05-26 Vendor releases a patch 2014-05-30 CVE-Numbers assigned 2014-06-03 Advisory released