-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-039
Product: wy-files
Manufacturer: wycomco GmbH
Affected Version(s): Unspecified
Tested Version(s): Unspecified
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-05-09
Solution Date: 2016-06-16
Public Disclosure: 2016-07-18
CVE Reference: Not yet assigned
Author of Advisory: Sascha Muenzberg, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

wy-files is a web based file transfer application provided by the 
wycomco GmbH.

Due to improper input validation, the web application is vulnerable to 
Reflected Cross-Site Scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that at least one URL of the web application 
wy-files is prone to a Reflected Cross-Site Scripting attack. 

This Cross-Site Scripting vulnerability allows an attacker to send a
manipulated link to his victim in order to execute arbitrary JavaScript
code in the context of his victim's web browser.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL using the JavaScript code 

	<script>alert(1)</<script> 

as a part of the URL demonstrate the reflected cross-site scripting 
vulnerability by showing a JavaScript alert box.

	https://example.com/fst/<script>alert(1)</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the wycomco GmbH, the reported security
vulnerability has been fixed in a new software release.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-05-03: Vulnerability discovered
2016-05-09: Vulnerability reported to manufacturer
2016-06-16: Vulnerability fixed by manufacturer
2016-07-18: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS GmbH, SYSS-2016-039
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-039.txt
[2] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sascha Muenzberg of the SySS GmbH.

E-Mail: sascha.muenzberg@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Muenzberg.asc
Key ID: 0x73033C4F
Key Fingerprint: 63FF 27B8 3E36 5475 1C0E CB5D 27C6 0C38 7303 3C4F

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXjMDrAAoJECfGDDhzAzxP/BoP/3MB+EB962IyCQPH5IPyox4M
4J0BD5cgHtUWwqXqEOFPxDp/+rgLqqcDrYnEdUM5DhLsXp3WvDoMEdryMvluNbJm
VfsII1rFFtCmwJYiCNfg5NbyHPrFEHZLmIix6lCFSuMw8WEvOfdBpPxnOevbgVUm
WwedthqymgyBurC9fjx6S0f7f+ObwYtD5vzZFNYMvS074d2y6ubPBjyGe0Y45fwd
1vk6ix5y+D9+mmFmWxRmuOng4E1qQTUcVo3jkQ4xR/WDm48gzfpsImYCOz8AU4dM
50xThADu893VYKo2RKjyhT7huFQ0olPqmMymt8hNLgumxiKiGNFGUGvRYGF/crA8
6YRUOOQyK6eQCrG/b6rlhaVVyGj5HCYhAdsy8tknQD3dEn/WYbyC4ooka4kGXXwc
DMhXKXKCMRcIqsf1ozsuN2YOMAtSrv6imnCxe3zdC0hzCnQhenN2xb0qhy6T7dtW
g+UMD7wZxIJZGPHeU1y3h+ZNbDQhN59IVCutws3nSpXukYEbAbe03hy0L0CIbUcP
MpUNJ3+0PEl/GCBNMo47M4+fdrw8r0i7NmwRd+5XcFjP+G4ISAUTGS1vnmzxk95c
cviaAd/19u0eK+ZLVQ4R/jXkSI5QnkJAX0NCnLi7koPYcP8OMQ4x/QwyuPUONjZ7
GuN+rHp6sQDjd7kPT+55
=JurM
-----END PGP SIGNATURE-----