-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-010
Product: FirstClass
Manufacturer: Open Text Corporation
Affected Version(s): Unknown
Tested Version(s): Unknown
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Not fixed
Manufacturer Notification: 2016-02-04
Solution Date: -
Public Disclosure: 2016-06-10
CVE Reference: Not assigned
Author of Advisory: Christian Kistner (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

FirstClass is a Groupware by Open Text[1] for multiple platforms
including a web client for accessing.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH identified the viewing of uploaded HTML files including
JavaScript code is vulnerable to Persistent Cross-Site Scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Create a file ending by .html containing the following content:

<!DOCTYPE html>
<html>
<body>
<h1>SySS</h1>
<script>alert(1)</script>
</body>
</html>

Upload it to one of the following forms:
* documents
* files
* attachements

When the uploaded file is clicked, JavaScript code is executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Set the correct Content-Type and Content-Disposition header correctly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-01-22: Vulnerability discovered
2016-02-04: Manufacturer Notification
2016-03-18: Vulnerability reported to manufacturer
2016-06-10: Public release of security advisory according to the SySS
            Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] OpenText FirstClass
    http://www.opentext.com/what-we-do/products/specialty-technologies/firstclass

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Christian Kistner of the SySS GmbH.

E-Mail: christian.kistner [at] syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Christian_Kistner.asc
Key ID: 0x87A0D373
Key Fingerprint: E22C 4D21 8B81 98C5 F2B9 DA6F 4BF1 1528 87A0 D373

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXWqmiAAoJEEvxFSiHoNNzv1wQAK/jlGeFYtjUPBRd2tuqTqZB
xOZ7RzWnhwVZcmrEVY6t3GfVIG7ur5K1FLyT3K/dZEe+SuOJ2O0ZECeoGOaBkRVE
FGafo0cqyFgG3zVN+iHJ0bFaOQ0EY9K8etOEIf+1JJn9xxrFK8BRS4B0UCNYyJu9
zrMV3BPUi5XFbUXqX8I840OAXY9CS72jVuA1MPWDubUaItZUy1a+fiUlsv7FgE/g
kjRCz5KUnrEionewLWPUwb/TNdOjrxd/FK1cItZ544buCjfvNDTt6MkX7QkvJKZj
fYCXUXARiq5BSZThfSKnLUwO+DstYr0uEz1gSukrFY7Fj1s5gO2xhv7zI9F2f4Me
UNSDftJQo08I3XZuxJpwrVk2lZn6FRzTjX0kilMdol+Fa+vOOSFwcebbVqbX2PTP
5RFtSJAiMQGzRhX992ohHU8AF03QqcNtcqNJnmQy0bO87SIjnPvHBd/40zqQwAWV
OwcrZbwhp3M1tyxwh/ZOZVXLe5whd3GbInc7AcRyWKRImOAwryI7Wlir+cmhYZI9
4Vqha+UZjn5J+o4FaajgOWpwOb/tClqDSMr0D/iP/AVNK9w3i10a2rmhJfJLRV4L
WEqZywTbqhTv0ZUdqHfqBwY29L5qOpH6SnDfzZmayFEMJW8hSrPn9wNAgiX6GJ2s
uuaeI+hoq1vnSej+Mc10
=W2gZ
-----END PGP SIGNATURE-----