RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        Mattermost
Vendor URL:     www.mattermost.org
Type:           Cross-site Scripting [CWE-79]
Date found:     02/12/2016
Date published: 16/01/2017
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:            -


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Mattermost v3.5.1
Mattermost v3.5.0
older versions may be affected too.


4. INTRODUCTION
===============
Mattermost is an open source Slack-alternative built for enterprise.
Thousands of companies use Mattermost for workplace messaging across
web, PC and phones with archiving, search, corporate directory
integration and connectivity to over 700 third party applications.
Available under MIT license in 11 languages Mattermost offers
peace-of-mind, value, control, and freedom from lock-in for
organizations around the world.


5. VULNERABILITY DETAILS
========================
The Mattermost "/error" page is vulnerable to an unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to
the HTTP GET parameter "link" is processed by the web application. Since
the application does not properly validate and sanitize this parameter,
it is possible to set the return link, which is part of the error page,
to a base64 encoded DATA URI. This could be used to execute arbitrary
JavaScript code in the context of an authenticated as well as
unauthenticated user.

There is one restriction which reduces the attack likelihood: Due to
JavaScript validations it is not possible to execute the payload by a
simple click on the return link, but instead it must be opened in a new
browser tab or window. However since an attacker does also have all
other text elements (HTTP GET parameters "title" and "linkmessage") of
the error page under control, it is possible to perform social
engineering attacks on the very same page.

The following Proof-of-Concept triggers this vulnerability by injecting
a base64-encoded data URI and a spoofed content text for the title and
link message:

https://localhost/error?title=Unknown%20Error&link=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=&linkmessage=http://mattermost.org&message=Something%20went%20wrong%20with%20the%20provided%20link,%20open%20it%20with%20a%20right%20click%20instead!

The payload is afterwards reflected within the response body:

<div class="error__container"><div class="error__icon"><i class="fa
fa-exclamation-triangle"></i></div><h2>Unknown
Error</h2><div><p>Something went wrong with the provided link, open it
with a right click instead!</p>
</div><a
href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">http://mattermost.org</a></div>


6. RISK
=======
To successfully exploit this vulnerability an authenticated or
unauthenticated user must be tricked into visiting a prepared link
provided by the attacker. Once on the "/error" page, the user must also
be tricked into opening the link in a new tab or window, which can be
accomplished by spoofing the other elements of the error page.

The vulnerability can be used to temporarily embed arbitrary script code
into the context of the Mattermost error page, which offers a wide range
of possible attacks such as redirecting the user to a malicious page or
attacking the browser and its plugins. Since session-relevant cookies
are protected with the HttpOnly flag, it is not possible to hijack sessions.


7. SOLUTION
===========
Update to Mattermost v3.6.0.


8. REPORT TIMELINE (DD/MM/YYYY)
===============================
02/12/2016: Discovery of the vulnerability
02/12/2016: Created support ticket #2231 with preset disclosure date
            set to 16/01/2017
12/12/2016: No response, sent out another notification
12/12/2016: Vendor confirms the vulnerability
03/01/2017: No further response, sent reminder about the disclosure date
16/01/2017: Vendor releases v3.6.0 which fixes this vulnerability
18/01/2017: Advisory released


9. REFERENCES
=============
-