-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-005 Product: sam* Vendor: secova Affected Version(s): 5.8.2 and below Tested Version(s): 5.7.11 Vulnerability Type: Cross-Site Request Forgery (CWE-352) Risk Level: Medium Solution Status: Fixed Vendor Notification: 2016-01-08 Solution Date: 2016-04-18 Public Disclosure: 2016-05-24 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: An Cross-Site Request Forgery vulnerability could be identified in the sam* application. The sam* application is described as follows [2]: "sam* is an electronic documentation system and is used primarily in the areas of health and safety, occupational safety, occupational health, environmental protection, quality waste management and HR. (Keyword: EHS Software) All essential operational requirements for companies are ideally satisfied with sam*. sam* dovetails the most important main and sub- disciplines (ISO, OHSAS, knowledge logistics and legal compliance) with one another." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The sam* application does not provide any kind of protection against Cross-Site Request forgery. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTML form can be used to send a message to another user via the sam* application:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to version 5.8.3 or later ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-12-22: Vulnerability discovered 2016-01-08: Vulnerability reported to vendor 2016-04-18: Release of a fixed version 2016-05-24: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] SySS GmbH, SYSS-2016-005 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-005.txt [2] Vendor description of sam* https://www.secova.de/en/home/what-is-sam/ [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXQzoTAAoJENWmFJbQahTeRdQP/RDa/Qw5ZLsSZUs2Ci0Y2fwp BjJ+NtYhZ9enQ0VOMp97/Lf00QW3JzDNqkkefBABYCJbVgPILVg1bfNLWFgRTbYs ckGUVzTWGQCpIDh0IxBwlvPmCTrblu6olhRun6jyT5d2+m6sH0tu9bpQ2OAhytIg pgv/7GYrD7Rx2Qen4OfCm7UqC4Zn/ncmYqtK25N1KVGJasWQaWMyoNewxApa7cum //wL24nuq6CDL8lS4K59UTjxgk6KDHNzzT9by1b03KToJPiVRxIn4gTg5P3XrmZT jK1YB8mp42Zp9wOodnFPKMfGtiN/g26yczW8WOjuUTqw+knOvoCtAUceQfv5a3aK KASJGtoQzHWM0VZmdqDPYKiz4LO+aXsA8rRX9MVSCrY3j64AFTAZ6rlxdTqLQ9ar Fzz0qjAMAEGmTdnur1zPGgZ2zjKSg6MOVNQhNPo811eC1A3h13Pex5DFnTmLLCDN /EH+2HMb5AEybY2wQMbOTney7l27iGZppO5pZyI60JHpfsWClLz7XEyUykOSjzMk 6v9BNrDGPARVtaHf+VLcuo9j4PMFs5Hgu5yAETA4tNo1ZRu3KgkGHLnlVKnvzVd7 sHQgnIaAHRE7EMltjXvoMepehHKegpzK73M3KtBC2TqQDtzVsl/MZtn/Pt5Fvc7l c7mRPdzNuvVGFS21M6yz =ba19 -----END PGP SIGNATURE-----