the original cloud security

Secure Data Space 3.1.1-2 Cross Site Scripting

Secure Data Space 3.1.1-2 Cross Site Scripting
Posted Dec 11, 2015
Authored by Thomas Vogt

Secure Data Space version 3.1.1-2 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2015-7706
MD5 | cadde937b831f5f4d3d0b38dc91d3ee8

Secure Data Space 3.1.1-2 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

secunet Security Networks AG Security Advisory

Advisory: SECURE DATA SPACE API Multiple Non-Persistent Cross-Site Scripting Vulnerabilities

1. DETAILS
- ----------
Product: SECURE DATA SPACE
Vendor URL: www.ssp-europe.eu
Type: Cross-site Scripting[CWE-79]
Date found: 2015-09-30
Date published: 2015-12-09
CVSSv2 Score: 4,3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE: CVE-2015-7706


2. AFFECTED VERSIONS
- --------------------
All product versions (Online, Dedicated, For Linux/Windows) in
Web-Client v3.1.1-2
restApiVersion: 3.5.7-FINAL
sdsServerVersion: 3.4.14-FINAL


3. INTRODUCTION
- ---------------
"The highly secure business solution for easy storage, synchronization, distribution and management of data - regardless of location or device"

(from the vendor's homepage)


4. VULNERABILITY DETAILS
- ------------------------
The Secure Data Share version v3.1.1-2 is vulnerable to multiple unauthenticated Non-Persistent Cross-Site Scripting vulnerabilities when user-supplied input is processed by the server.[0]

#1 Proof-of-Concept:
https://example.com/api/v3//public/shares/downloads/111"}<BODY%20ONLOAD%3dalert('XSS')>

#2 Proof-of-Concept(authType parameter):
POST /api/v3/auth/login
{"login":"a","password":"a","language":1,"authType":"random<script>alert(1)<\/script>random"}

#3 Proof-of-Concept(login parameter):
POST /api/v3/auth/reset_password
{"login":"random<script>alert(1)<\/script>random","language":1}


5. SECURITY RISK
- ----------------
The vulnerabilities can be used to temporarily embed arbitrary script code into the context of the Secure Data Space backend interface, which offers a wide range of possible attacks such as stealing cookies or attacking the browser and its components.


6. SOLUTION
- -----------
Update to Secure Data Space Versions:
Web-Client 3.1.3 - Rev. 3 or higher with
SDS-API 3.5.7 or higher


7. REPORT TIMELINE
- ------------------
2015-09-30: Vulnerability discovered
2015-10-02: Vendor notified
2015-10-02: Vendor acknowledges the vulnerability
2015-10-05: CVE requested from MITRE
2015-10-05: CVE-2015-7706 assigned
2015-10-13: Vendor releases update and security advisory[0]
2015-12-09: Advisory released


8. REFERENCES / CREDITS
- -----------------------
This vulnerability was discovered and researched by Thomas Vogt from secunet Security Networks AG.

[0] https://kb.ssp-europe.eu/pages/viewpage.action?pageId=12059988


secunet Security Networks AG
- ----------------------------
secunet is one of Germany's leading providers of superior IT security. In close dialogue with its customers – enterprises, public authorities and international organisations – secunet develops and implements high-performance products and state-of-the-art IT security solutions. Thus, secunet not only keeps IT infrastructures secure for its customers, but also achieves intelligent process optimisation and creates sustainable added value. More information about secunet can be found at:
https://www.secunet.com

- --
secunet Security Networks AG
Kronprinzenstra├če 30
45128 Essen, Germany
Local Court of Essen HRB 13615
Board of management: Dr. Rainer Baumgart (CEO), Thomas Pleines
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using gpg4o v3.5.43.6457 - http://www.gpg4o.de/
Charset: utf-8

iQIcBAEBCAAGBQJWaBC9AAoJEEIZSc7HIQcnFVoP/AuguW4muL0nFuaJCZcT1UEw
YuHs6w3VnjnRH7w7h1EJwipvgKnIxPFNIFjlWOWSts32pbg5n23d7jbXubtYEjgr
USTIXJbflIsTbV2xIg0oWHFq3KIXPWjRU3BLIPN7SvGmVrkTR7acmwTHZbSPxh71
SmYdiP96kccoX+6Rf0bSL634lt8iHtHhr1MSDxkO3NaP5GdGQqXBX7cpacvdVoq1
IwmQpUiRpCtXA3NtnABPzEAosIOBde/knbYgFKSNRlnG0gekmvtvNiPNSi5P0wlq
7D3JD90m1ZqdnBR014OUfXj8lsNBIkzlHZzSJkgGBG3mNNRmjB7Mir0GODoNfIA7
t9igBmrjTSPgfAFjKUZiujs4xkT4jGqv6k6ziT2dMO9DOmCyKzTvV7nT5wPKZSgR
ilYqLiSFry5tIhk2Lm1lN4zuLPRhbzDl2LfKPsczBCPAdbP8XlUe0NNkbKlgCeL9
e9usCKTjfHCMPsXNK5QjjklVsVGQ9Fe8eyycSTJi1X+z8EjJV09dQ4xfKOPjiRdf
egP4W9j6wUqqjP2hPOJY8rwJuF98jNbZpsPWCir42hpYdrgUzZY6i99XsVgBnjpn
7JXkz3Z30E53VxZvl33JJwjFR8wPn5RXmO+VfZ1/iG/6wYoN5wROsgJGqSKyA0c8
RjfIxP+sWAqpsmzl5mhy
=Cbpf
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close