Micro Focus Vibe 4.0.6 HTML Injection

2020.03.29
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-046 Product: Micro Focus Vibe (formerly Novelle Vibe) Manufacturer: Micro Focus International plc Affected Version(s): 4.0.6 Tested Version(s): 4.0.6 Vulnerability Type: HTML Injection (CWE-79) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2019-11-07 Solution Date: 2020-03-24 Public Disclosure: 2020-03-25 CVE Reference: Not assigned Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Micro Focus Vibe is a web-based team collaboration platform that can serve as a knowledge repository, document management system, project collaboration hub, process automation machine, corporate intranet or extranet [1]. The manufacturer describes the product as follows (see [2]): "Micro Focus Vibe (formerly Novell Vibe) brings people, projects, and processes together in one secure place to enhance team productivity -- no matter where the team is or what devices they use." Due to insufficient server-side validation of user input, Vibe is vulnerable to injection of malicious HTML markup into file titles. (For a related vulnerability, see our advisory SYSS-2019-047 [3]) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: In Vibe, an uploaded file can be assigned a title that is different from the filename. While HTML markup is not allowed in filenames, it is partially accepted in file titles. This behavior poses a low to medium security risk, because it can be exploited by an authenticated attacker to inject malicious HTML markup into the title of a file uploaded by the attacker. For instance, the attacker can submit an external link as a file title, thus changing Vibe's expected behavior upon clicking on the title -- the malicious external resource will be requested instead of the internal page of the uploaded file. With a little social engineering, authenticated victims can be tricked into submitting their Vibe credentials to the attacker's server, by directing the victim's browser to a fake Vibe login page and prompting the victim to log in again, because of an alleged error. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An authenticated attacker uploads a file with, e.g., the following title: </a><a href="https://evil.me/fakeVibeLogin.html">Meaningful Title An authenticated victim sees the title "Meaningful Title" on the list of latest uploads and clicks on it. The victim's browser is directed to the fake Vibe login page with the URL https://evil.me/fakeVibeLogin.html. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade Vibe to version 4.0.7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-10-27: Vulnerability discovered 2019-11-07: Vulnerability reported to manufacturer 2020-03-24: Patch released by manufacturer 2020-03-25: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] WikipediA Article on Novelle Vibe https://en.wikipedia.org/wiki/Novell_Vibe [2] Product website for Micro Focus Vibe https://www.microfocus.com/en-us/products/micro-focus-vibe/overview [3] SySS Security Advisory SYSS-2019-047 Stored Cross-Site Scripting (XSS) in Micro Focus Vibe https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-047.txt [4] SySS Security Advisory SYSS-2019-046 HTML Injection in Micro Focus Vibe https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-046.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Vladimir Bostanov of SySS GmbH. E-Mail: vladimir.bostanov@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc Key ID: 0xA589542B Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS GmbH web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAl59+8YaHHZsYWRpbWly LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCslug/7BVr87qoAM5WGun8hfUy3 oBgteVtVpAXUMymZktz+NsBL2oN0cLbZ4m0rKMewFN20xRz4AAl6bfN6+2tloKPI giP6KLAo99Zps1xAGoUVeYvotPeBTG7tV89WBjRVCLIFOw0xBmUZ5dtejkyXfkQw TGe+DILUxrPLKNZQ7rMuXN89YQZ9QblNxB5z9Dn0W53awrgAGEx6ef2iyJanyrJ/ Gt5+HLrMFumPsWKadYklS31o1R0wVONnAb21H9IC5n8VBK1hSZbrpdzOPgjxr4jV V9znqC1VeOUrGqUlAClg+3i5uzQ/cqsl5VZRnmhBGNwC0yINUE6Ema8GIXUCFCdT J/ZneuI9X0AJFNxToqy2WRQQBLRehi7OlgS18+T7Ud18Ie+v+8vNPS2dJoC7Og/p YKAxjqGUEvFqNzZD7TAoDgXTpsFOM3/HgymrbiI32QtJ7GjP5XbsrsM+euhTV30W ckvuwaHqYH9CgTdcKosmy0Zr4LBRNv7+4YQBZhxiRUiohUF5wMzWeQDTkJSb1gDV UpPk6J9eflIEv4aX07+7rJx/ukhKUUy6tgmbJsuhT7e5r59FHd9a2VTx7k+Omqqs BdSK7BIHMVXFI45sR/k7EJgnRLpVgo2MNdRuikIR+DwD0BuuY41no/6YGLUDRfdZ TThuN0FOmUqT7Fu9L22xtOc= =o5ws -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top