-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-003 Product: sam* Vendor: secova Affected Version(s): 5.8.2 and below Tested Version(s): 5.7.11 Vulnerability Type: Path Traversal (CWE-22) Risk Level: High Solution Status: Fixed Vendor Notification: 2016-01-08 Solution Date: 2016-04-18 Public Disclosure: 2016-05-24 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: An Path Traversal vulnerability could be identified in the sam* application. The sam* application is described as follows [2]: "sam* is an electronic documentation system and is used primarily in the areas of health and safety, occupational safety, occupational health, environmental protection, quality waste management and HR. (Keyword: EHS Software) All essential operational requirements for companies are ideally satisfied with sam*. sam* dovetails the most important main and sub- disciplines (ISO, OHSAS, knowledge logistics and legal compliance) with one another." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Images used by the sam* application are delivered through a PHP script. This script discloses absolute path information and can be used to access arbitrary images on the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A common image URL looks like: http://example.com/libs/sam/editor/gallery/getimage.php?file=ausrufungszeichen.jpg&path=//sam/media/global/AS&w=120&h=120 The favicon can be accessed through the following URL: http://example.com/libs/sam/editor/gallery/getimage.php?file=favicon.png&path= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to version 5.8.3 or later ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-12-22: Vulnerability discovered 2016-01-08: Vulnerability reported to vendor 2016-04-18: Release of a fixed version 2016-05-24: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] SySS GmbH, SYSS-2016-003 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-003.txt [2] Vendor description of sam* https://www.secova.de/en/home/what-is-sam/ [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXQzotAAoJENWmFJbQahTeNyEP+gJ6qxRi6PVbh4eiEP658iq2 fFvFtGwYcdKjKYFlRU7FWkxcWXuEHD/Edpw2vLrR5Cy7jO0KmpBYzlKh5s5qA3c5 RyHfbWl72H4w3FZldT/L+7tzF1Q6/icRQXjRT39yCLSSIgMvfFOMi792uA64/lVX 60rAHDBpdPTXQsJI0eqzSoDsguhtPY5sIZwQcSgyZ6eZDJadYD/0CvTNbAUR9gKA rpMxAt6rB44lkocfzTz5qkf+Jdkw0PYPsf64/scbkD43ZF9DAcE+rITb0Ah1Vnq4 IGaPIJe1FwoeNeabmwSTZ41LqKFRMlIJ9p/o/ZZxcXoAAmTtBvvYgrrK6xdAk8pp A2ufREDvTuY+/BIe9znxeKdFn1jiyPvQXsB1bqm2NdnZMx7lwRf71eh4OLryH/Iy pSoxa16Dp2Q4CD1gjyqhCq4Xkv4rte9sDxMDt4SwqdxyIfEohjpubZX4CYQuDrBW VsdEKEFizG8h5V8ZjN0bUKN3W1crkaGyvDSnveyV1qCGZq+q4U1kjL17dVnHz69c uQJLIInYyvO0Gw6TXxyJtEU8z1SkpQbzTegs95OeEsI0PiKPPSNA/4bld/nY4zXa LWtZJ4dFiVYqRW1zAiZq/bjJrZS7seUWlM/hWLP3XSBuoF38nKOE/yEdMRzP2Ss0 jJYzuuzCle25q9aSwXH+ =3Blc -----END PGP SIGNATURE-----