-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2017-002 Product: Simplessus Files Manufacturer: Simplessus Affected Version(s): 3.7.7 Tested Version(s): 3.7.7 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: January 25, 2017 Solution Date: January 25, 2017 Public Disclosure: February 16, 2017 CVE Reference: Not yet assigned Author of Advisory: Dr. Adrian Vollmer, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Product overview: Simplessus Files is a file sharing web application. The manufacturer describes the product as follows (see [1]): Simplessus Files is a simple software solution to exchange files and documents over the internet. No more file sharing via e-mail, FTP or CD-ROM with Simplessus Files replace very large files online easily. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability overview: Due to insufficient filtering of user controlled input, Simplessus Files is vulnerable to reflected cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The value of the GET parameter 'action' is reflected in the server response without proper encoding. Injected JavaScript is thus executed in the browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Following this link executes JavaScript in the victim's browser, resulting in an alert box being displayed: https:///?action=%3Cscript%3Ealert(1)%3C%2fscript%3E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to software version to 3.8.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-01-13: Vulnerability discovered 2017-01-25: Vulnerability reported 2017-01-25: Vendor confirmation 2017-02-15: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Simplessus Files http://files.simplessus.com [2] SySS Security Advisory SYSS-2017-002 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-002.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Adrian Vollmer of SySS GmbH. E-Mail: adrian.vollmer@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Adrian_Vollmer.asc Key ID: 0x037C9FE7 Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcM/ojK7n2w9dyDQDDgJ8fgN8n+cFAlilY4cACgkQDgJ8fgN8 n+fxTRAAx9k3XL6JoiJC4M75L0csaEx2FEvBwKc/ZvVnW4zqhBeJAtyaiXztzKXk iRPMgQouiC7/Vt2BFpdf1cmj9fUGR7259Mvjw2meAl5qgh7f9NrflWYkoFFeXZ4i BXdM6RfpMoRZMXqwz7HkJpQBA6Znu1fCSOPU2MrfzAWyvqH2KgmbfVSMBTW0esBK X/2RCrds2y4JCQZL4vt3k6F9lJTq+10jcMMkHHlyVisR6HY3AEPqB009Kn4Z7VI6 3O40kdBuitZ+WnpHbx+QY4Qh+qsY4GIkYpWKQQYYvhqw25K7IExLDR/IkycdliMP MNZIcp0oEck8J5BGj6Xas50F85aZh8Pt6Cvvdpn2iYd+WumZxOjwlJnw7jbznkDR drgn6/9ZdlIEfyv9EPDP9ObC1c4y4gQEr9oyopJAAs3tpqHOqHemcDDvKhuRaUIw 8yDBhig3oyZEprt8ZXR3nBdBot5lQkVxpvhA6NCr6VLrUryyRWtlx39WUIj+mzEE 8q12CBpJN9Q0rkiFkW5JoNMDpN43MINtTQTFrLl1AcPOMRvEqhmEgT6eWz9tOmqp I7LJnCc8ABS/eymrOgk12Ls9sROjzUoY0VBp06eZmF45dh4z7V4fLFNOyuVkZqyS +9SgMwr4FsMu0e7x9fJmCIQ/jxNOALhwOs1NUNvHDzL+fbAUg3E= =41nX -----END PGP SIGNATURE-----