-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-054 Product: Novell Filr Vendor: Novell Affected Version(s): 1.2.0 build 846 Tested Version(s): 1.2.0 build 846 Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2015-09-17 Solution Date: 2016-02-17 Public Disclosure: 2016-03-08 CVE Reference: CVE-2015-5967 Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Novell's Filr is an application for mobile file access and collaborative file sharing [1]. High security is an important aspect of the application. The SySS GmbH could find an open redirect vulnerability in the login form of the Filr Web application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH identified that it is possible for an attacker to prepare a crafted link to the login form. When a user logs in using this crafted URL, he is redirected to a page specified by the attacker. This kind of vulnerability simplifies so-called phishing attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): When a victim visits the vulnerable login form via the URL https://[host]/ssf/a/do?p_name=ss_forum&p_action=1&action=__login&refererUrl=https://www.syss.de and logs in using valid credentials, he will be redirected to the external attacker-controlled site https://www.syss.de. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to Filr 2.0. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-09-14: Vulnerability discovered 2015-09-17: Vulnerability reported to vendor 2016-02-17: Update provided by vendor 2016-03-08: Vulnerability published by SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Novell Filr Web site https://www.novell.com/products/filr/ [1] SySS GmbH, SYSS-2015-054 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-054.txt [2] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Erlijn van Genuchten of the SySS GmbH. E-Mail: erlijn.vangenuchten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc Key ID: 0xBD96FF2A Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJW3sUaAAoJEAylhje9lv8qrZYP/1otuLGzS08Vok4ncasAq0vQ /BkxXR8SWNoBCHVdghUQpcByvYobDPmd+lY1u8CdsBMko4FeHIpeotK9jxLekzlA YW1um0IGGOgsoLh7I8ruX2YmP6+mF0wE1VjzTJ4gDd+hDRlInMuPWVL3XqCpmOLV yErIinnB4Y9vt5VUx+VyoDuE2HG7vU1sNePivL5oqSOU1BDkqvZzivgNtBT23vNF 8aNvWe/KGqh9AygoBpTsRt35Idq7GtExpjH546uFSIC3brfx0QhIKDXAn04gwu+D 8vJvLhhV9la6r2qppAErPXI1fMQuAD3tnd8VDwgEznmL6Igcr100pYsogi73DPHM 5VhRxT3b3dpP14rSplnf5u1+/2UADTO3CUcxTO2/gpK5/BLfwrk6yiU4s4vhsXAx U17XWV0tk/+CqYpn82K0rMoreTt8OW8ESns7eCyGbAE6vxYi88FCHPBjyXCHTDnv UDAmQx5nsGKCuDyTJoovyU3CkJ4TlVjGIZRb3ZjrOGnqTeF/MUaYgC/laVvWr12a g2HjiIoo73LP6ynWHPYIDGK/jo/wlbom/1om8YTluCRnU2JrKe/bJRz8t7DcEO9T RQ0e1OHgJXyFjzCaeb93Ow6kgdNgrITq/CtUYgbBCRNeMzZZzkK/y2AXB9PBTRum 5Bvm3Or7Oc8FqDCD9r7/ =qogE -----END PGP SIGNATURE-----