lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 Jan 2017 21:43:59 +0100
From: Julien Ahrens <>
Subject: [FD] [RCESEC-2016-012] Mattermost <= 3.5.1 "/error" Unauthenticated
 Reflected Cross-Site Scripting / Content Injection

RCE Security Advisory

Product:        Mattermost
Vendor URL:
Type:           Cross-Site Scripting [CWE-79]
Date found:     02/12/2016
Date published: 16/01/2017
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:            -

This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

Mattermost v3.5.1
Mattermost v3.5.0
older versions may be affected too.

Mattermost is an open source Slack-alternative built for enterprise.
Thousands of companies use Mattermost for workplace messaging across
web, PC and phones with archiving, search, corporate directory
integration and connectivity to over 700 third party applications.
Available under MIT license in 11 languages Mattermost offers
peace-of-mind, value, control, and freedom from lock-in for
organizations around the world.

The Mattermost "/error" page is vulnerable to an unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to
the HTTP GET parameter "link" is processed by the web application. Since
the application does not properly validate and sanitize this parameter,
it is possible to set the return link, which is part of the error page,
to a base64 encoded DATA URI. This could be used to execute arbitrary
JavaScript code in the context of an authenticated as well as
unauthenticated user.

There is one restriction which reduces the attack likelihood: Due to
JavaScript validations it is not possible to execute the payload by a
simple click on the return link, but instead it must be opened in a new
browser tab or window. However since an attacker does also have all
other text elements (HTTP GET parameters "title" and "linkmessage") of
the error page under control, it is possible to perform social
engineering attacks on the very same page.

The following Proof-of-Concept triggers this vulnerability by injecting
a base64-encoded data URI and a spoofed content text for the title and
link message:


The payload is afterwards reflected within the response body:

<div class="error__container"><div class="error__icon"><i class="fa
Error</h2><div><p>Something went wrong with the provided link, open it
with a right click instead!</p>

To successfully exploit this vulnerability an authenticated or
unauthenticated user must be tricked into visiting a prepared link
provided by the attacker. Once on the "/error" page, the user must also
be tricked into opening the link in a new tab or window, which can be
accomplished by spoofing the other elements of the error page.

The vulnerability can be used to temporarily embed arbitrary script code
into the context of the Mattermost error page, which offers a wide range
of possible attacks such as redirecting the user to a malicious page or
attacking the browser and its plugins. Since session-relevant cookies
are protected with the HttpOnly flag, it is not possible to hijack sessions.

Update to Mattermost v3.6.0.

02/12/2016: Discovery of the vulnerability
02/12/2016: Created support ticket #2231 with preset disclosure date
            set to 16/01/2017
12/12/2016: No response, sent out another notification
12/12/2016: Vendor confirms the vulnerability
03/01/2017: No further response, sent reminder about the disclosure date
16/01/2017: Vendor releases v3.6.0 which fixes this vulnerability
18/01/2017: Advisory released


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists