-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2018-022
Product: Servicestack Framework
Manufacturer: Servicestack
Affected Version(s): 4.5.14
Tested Version(s): 4.5.14
Vulnerability Type: Reflected Cross-Site Scripting (CWE-79)
Risk Level: Low
Solution Status: 2018-09
Manufacturer Notification: 2018-08-17
Solution Date: 2018-09
Public Disclosure: 2018-12-12
CVE Reference: CVE-2018-18693
Author of Advisory: Saleh Elsayed, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Servicestack is a Web and Web Services Framework.
The manufacturer describes the product as follows (see [1]):
"ServiceStack is a simple, fast, versatile and highly-productive
full-featured Web and Web Services Framework that’s thoughtfully-
architected to reduce artificial complexity and promote remote services
best-practices with a message-based design that allows for maximum
re-use that can leverage an integrated Service Gateway for the creation
of loosely-coupled Modularized Service Architectures. ServiceStack
Services are consumable via an array of built-in fast data formats (inc.
JSON, XML, CSV, JSV, ProtoBuf, Wire and MsgPack) as well as XSD/WSDL for
SOAP endpoints and Rabbit MQ, Redis MQ, Azure Service Bus and Amazon SQS
MQ hosts."
Due to improper validation of queries on the server side, the framework
is vulnerable to cross-site scripting attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Upon manipulating the API request (e.g. removing Accept: */* header),
the framework response page includes a Snapshot of the request name,
and also the "Original URL" that generated the request.
SySS GmbH found out that the query used in the GET request is prone to
reflected cross-site scripting attacks.
While URL queries and parameters are generally encoded by modern
browsers, SySS GmbH was able to change the browser's encoding process
by intercepting the request using a proxy and injecting the script
code afterwards. The query is not sanitized and the script is then
reflected within the response.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Attack Vector: https://[api]/[request-name]?query=[query value]
Request:
GET /[request-name]?qury=[query value] HTTP/1.1
Host: [api]
[...]
This request results in the ery=[query-value]&">https://[api]/[request-name]?query=[query value]&
[...]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Update the software with the patch released by the manufacturer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-07-24: Vulnerability discovered
2018-08-17: Vulnerability reported to manufacturer
2018-09 : Patch released by manufacturer
2018-09 : Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Servicestack
https://servicestack.net/
[2] SySS Security Advisory SYSS-2018-022
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-022.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Saleh Elsayed of SySS GmbH.
E-Mail: saleh.elsayed@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Saleh_Elsayed.asc
Key ID: 0x8E0119652ECD9E2F
Key Fingerprint: 657D BFB8 0A09 D59E DEAC 6893 8E01 1965 2ECD 9E2F
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZX2/uAoJ1Z7erGiTjgEZZS7Nni8FAlwJIccACgkQjgEZZS7N
ni//Fw/8DZv8cLPmzKAKeKAG8wWF90HE4SpwGj81hHeo9bZ+ZDhpsKk1xH3Xnkhu
W6uhRF4yyfsOcVgnGIAG10AGiFY6PT+J/Tljpg3BTeqP/Gk600mexB7vjrNY6krC
3AhoV/oYXna/dPBnquXvd4aQc9/3aRByX4TjAGXHY6Mjt+e/CbcCXLOVSm80dPJX
aTyBdkXHl8xi/wOKr4Ox9gMuQgkhTsBAlqqGSNmPunmjjXJJBX6hcBCrK/i6T/la
ML1RIwZRAVF5w0QbjH7bK/xQT7vmNBfjQfBuW60dU5t+uZOmeKHHyR6VEF47Tpjg
2LFSk4mUfZ9PKcJfvTS6mQ5S7vVzzW7QjwBFLyThZ+gX80ghU0syW1guyDQ8Mq+l
IWLO84cCVrQ4cEl8Q4z8Tj5u1MblS56NkLuBIyXi5QlmJLRlRLnAMOQH6gOUNE1f
gDW7ev8yL5MOd9tPyNy44fQqyVYtmtk6I1ALl1qTSWN/8Rc36GuG/KzKlS50fkPG
gsiU0NWDgy81lmBJfbAxX9UD8m+sfQvb7T5P5ifh4SCcqG9xgjnxqxK8hKSDc9p5
liOvzGdar3NfgnXn/0Ai5rYhj6zPEivmm0HVbDjMKm8V8OCiDDICUzPJzDmK1YvH
4o8CmA2/4kukKLT5j6kSijwDYZFPLfe9gkN03Xo9VYnEKWMhINs=
=uQgH
-----END PGP SIGNATURE-----