############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: IBM Notes Traveler [1] # Vendor: IBM # CSNC ID: CSNC-2018-024 # Subject: Reflected Cross-Site Scripting # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 14.05.2018 # ############################################################# Introduction: ------------- IBM® Notes® Traveler is push email software designed to provide quick, secure access to email, calendar and contacts from a wide range of mobile devices or tablets. It synchronizes email, calendar and contacts data between IBM SmartCloud® Notes or IBM Verse® and the device. It is a no-charge mobile offering available for IBM Notes, IBM Verse and IBM Domino® users. It is easy to install and simple to use. [1] Compass Security discovered a security flaw in Notes Traveler, which allows injecting client-side code into the application. Affected: --------- Vulnerable: * Version 9.0.1.20 Technical Description --------------------- Users, are able to upload a file while submitting a problem report. This file's name can be manipulated so as to contain malicious code. Request: POST /traveler HTTP/1.1 Host: [CUT] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [CUT] Connection: close Content-Type: multipart/form-data; boundary= ---------------------------124347541119377898241809539723 Content-Length: 621 -----------------------------124347541119377898241809539723 Content-Disposition: form-data; name="problemText" -----------------------------124347541119377898241809539723 Content-Disposition: form-data; name="file"; filename="test" Content-Type: application/octet-stream test -----------------------------124347541119377898241809539723 Content-Disposition: form-data; name="action" getReportProblem -----------------------------124347541119377898241809539723 Content-Disposition: form-data; name="cmd" upload -----------------------------124347541119377898241809539723-- Response: HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Length: 3241 Content-Type: text/html;charset=UTF-8 X-IBM-TRAVELER-HTTP-TIME: 219 X-Frame-Options: SAMEORIGIN X-IBM-TRAVELER-HOST: [CUT] Strict-Transport-Security: max-age=0 X-AspNet-Version: 4.0.30319 Server: Lotus-Domino X-MDM-Powered-By: AirWatch @ www.air-watch.com Date: Fri, 11 May 2018 13:10:45 GMT Connection: close [CUT]IBM Traveler - Report a Problem[CUT] [CUT]The file name of the request, test, is not allowed.
[CUT]IBM Traveler Version: 9.0.1.20 Build 201711091501_20 running on [CUT]
Domino Version: Release 9.0.1FP10|January 15, 2018 running on [CUT][CUT] Workaround / Fix: ----------------- This issue can be fixed by properly encoding user-provided input when displayed back to the user. Timeline: --------- 2018-09-06: Public disclosure 2018-05-17: Initial vendor response 2018-05-16: Initial vendor notification 2018-05-11: Discovery by Stephan Sekula References: ----------- [1] https://www.ibm.com/us-en/marketplace/mobile-email