-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2018-022 Product: Servicestack Framework Manufacturer: Servicestack Affected Version(s): 4.5.14 Tested Version(s): 4.5.14 Vulnerability Type: Reflected Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: 2018-09 Manufacturer Notification: 2018-08-17 Solution Date: 2018-09 Public Disclosure: 2018-12-12 CVE Reference: CVE-2018-18693 Author of Advisory: Saleh Elsayed, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Servicestack is a Web and Web Services Framework. The manufacturer describes the product as follows (see [1]): "ServiceStack is a simple, fast, versatile and highly-productive full-featured Web and Web Services Framework that’s thoughtfully- architected to reduce artificial complexity and promote remote services best-practices with a message-based design that allows for maximum re-use that can leverage an integrated Service Gateway for the creation of loosely-coupled Modularized Service Architectures. ServiceStack Services are consumable via an array of built-in fast data formats (inc. JSON, XML, CSV, JSV, ProtoBuf, Wire and MsgPack) as well as XSD/WSDL for SOAP endpoints and Rabbit MQ, Redis MQ, Azure Service Bus and Amazon SQS MQ hosts." Due to improper validation of queries on the server side, the framework is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Upon manipulating the API request (e.g. removing Accept: */* header), the framework response page includes a Snapshot of the request name, and also the "Original URL" that generated the request. SySS GmbH found out that the query used in the GET request is prone to reflected cross-site scripting attacks. While URL queries and parameters are generally encoded by modern browsers, SySS GmbH was able to change the browser's encoding process by intercepting the request using a proxy and injecting the script code afterwards. The query is not sanitized and the script is then reflected within the response. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Attack Vector: https://[api]/[request-name]?query=[query value] Request: GET /[request-name]?qury=[query value] HTTP/1.1 Host: [api] [...] This request results in the ery=[query-value]&">https://[api]/[request-name]?query=[query value]& [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the software with the patch released by the manufacturer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-07-24: Vulnerability discovered 2018-08-17: Vulnerability reported to manufacturer 2018-09 : Patch released by manufacturer 2018-09 : Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Servicestack https://servicestack.net/ [2] SySS Security Advisory SYSS-2018-022 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-022.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Saleh Elsayed of SySS GmbH. E-Mail: saleh.elsayed@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Saleh_Elsayed.asc Key ID: 0x8E0119652ECD9E2F Key Fingerprint: 657D BFB8 0A09 D59E DEAC 6893 8E01 1965 2ECD 9E2F ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZX2/uAoJ1Z7erGiTjgEZZS7Nni8FAlwJIccACgkQjgEZZS7N ni//Fw/8DZv8cLPmzKAKeKAG8wWF90HE4SpwGj81hHeo9bZ+ZDhpsKk1xH3Xnkhu W6uhRF4yyfsOcVgnGIAG10AGiFY6PT+J/Tljpg3BTeqP/Gk600mexB7vjrNY6krC 3AhoV/oYXna/dPBnquXvd4aQc9/3aRByX4TjAGXHY6Mjt+e/CbcCXLOVSm80dPJX aTyBdkXHl8xi/wOKr4Ox9gMuQgkhTsBAlqqGSNmPunmjjXJJBX6hcBCrK/i6T/la ML1RIwZRAVF5w0QbjH7bK/xQT7vmNBfjQfBuW60dU5t+uZOmeKHHyR6VEF47Tpjg 2LFSk4mUfZ9PKcJfvTS6mQ5S7vVzzW7QjwBFLyThZ+gX80ghU0syW1guyDQ8Mq+l IWLO84cCVrQ4cEl8Q4z8Tj5u1MblS56NkLuBIyXi5QlmJLRlRLnAMOQH6gOUNE1f gDW7ev8yL5MOd9tPyNy44fQqyVYtmtk6I1ALl1qTSWN/8Rc36GuG/KzKlS50fkPG gsiU0NWDgy81lmBJfbAxX9UD8m+sfQvb7T5P5ifh4SCcqG9xgjnxqxK8hKSDc9p5 liOvzGdar3NfgnXn/0Ai5rYhj6zPEivmm0HVbDjMKm8V8OCiDDICUzPJzDmK1YvH 4o8CmA2/4kukKLT5j6kSijwDYZFPLfe9gkN03Xo9VYnEKWMhINs= =uQgH -----END PGP SIGNATURE-----