-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2017-031 Product: Homee Webapplication Manufacturer: Codeatelier GmbH Affected Version(s): 2.15.0 (98f8035) Tested Version(s): 2.15.0 (98f8035) Vulnerability Type: Persistent Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Closed Manufacturer Notification: 2017-11-24 Solution Date: 2018-02-20 Public Disclosure: 2018-02-20 CVE Reference: Not yet assigned Author of Advisory: Dr. Erlijn van Genuchten, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: homee is a modular smart home unit. Smart home users can connect their IoT products to this unit, in order to monitor and configure their IoT products. The manufacturer describes the product as follows (see [1]): "homee is a radio station, which allows you to communicate with intelligent, broadcasting devices." Due to insufficient input filtering, the web application that allows access to the smart home unit, is vulnerable to persistent cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the homee web application is in several locations prone to persistent cross-site scripting attacks as users are allowed to enter JavaScript code. This code is executed in the context of other users, which allows for example homee users to attack chief homees. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A homee user can add a homeegram-comment with for example the attack vector . This attack vector is automatically executed when another user, including a homee chief, opens the Homeegram page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to verion 2.17.0 (f274e0e) or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-11-20: Vulnerability discovered 2017-11-24: Vulnerability reported to manufacturer 2018-02-20: A fixed version of the software was published 2018-02-20: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for homee https://hom.ee/ [2] SySS Security Advisory SYSS-2017-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-031.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Erlijn van Genuchten of SySS GmbH. E-Mail: erlijn.vangenuchten@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erlijn_van_Genuchten.asc Key ID: 0xBD96FF2A Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJahZMTAAoJEAylhje9lv8qpmYP/2VfmVkcJ7UDEZ3RCHArNkmG wCmPphSbYmYWHNW9BDQR0DbL3bpNqab88UcTMXQEVDHAYJBksAAIgCIM/n+4/ovo 37VkEl25kRWhla72/W5o28ew/mHOZKNWR6AaSqwuOe/Rn1iqgUfi1a/5zK+2YIfF f+j58/uGKm5BSbYvj2IOVDMSjZPibXrHQjsclx+/uRhnIxWe1MbSSKWgiysEcj8c iHfw3YU/z0ZWkMY/6RlM1IBEnBg4QbtaKE7JDtnX499knfdUey6H6Eu37AIVk8h0 Cm3g4T30GO0T5ujX9Ah5MWWUGKO5ZF0hOCQONQmplIrwC6OPTHjCkEbZC5EsoGeY 2oYneQVFQ4QLeOHJvybdUPHYTfG4M0Eh1ioGN/NxzDBeyoqNtXQyCAszqD80TbWz mYZIW0Vjvj3JhW16/tElQ3u8pY5BUM8nKxBGZ0Vx62vlj/ig0cxg9mFruz3hv21f 3HaoFzrZDThnWET5ZL4M2zqHIGJNPdw3rAWBO1qEYxI/7P14bjshplWTuwYOeMaF N6AKrlSuwsbDPpsj0kEVpNHAFa1hQZypbP9+XRd8A5jdJ/xmrO8tvoZfHwmbvz2Q 8x8yo4roa2sL59NjuOtiRM5KhzugzUBOsb+IVmweJnBMm4vXgaooLfhpYXEhF6/y nPgDOTxo0BK1aIKGR+YD =2nZl -----END PGP SIGNATURE-----