RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Mattermost Vendor URL: www.mattermost.org Type: Cross-site Scripting [CWE-79] Date found: 02/12/2016 Date published: 16/01/2017 CVSSv3 Score: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Mattermost v3.5.1 Mattermost v3.5.0 older versions may be affected too. 4. INTRODUCTION =============== Mattermost is an open source Slack-alternative built for enterprise. Thousands of companies use Mattermost for workplace messaging across web, PC and phones with archiving, search, corporate directory integration and connectivity to over 700 third party applications. Available under MIT license in 11 languages Mattermost offers peace-of-mind, value, control, and freedom from lock-in for organizations around the world. 5. VULNERABILITY DETAILS ======================== The Mattermost "/error" page is vulnerable to an unauthenticated reflected Cross-Site Scripting vulnerability when user-supplied input to the HTTP GET parameter "link" is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to set the return link, which is part of the error page, to a base64 encoded DATA URI. This could be used to execute arbitrary JavaScript code in the context of an authenticated as well as unauthenticated user. There is one restriction which reduces the attack likelihood: Due to JavaScript validations it is not possible to execute the payload by a simple click on the return link, but instead it must be opened in a new browser tab or window. However since an attacker does also have all other text elements (HTTP GET parameters "title" and "linkmessage") of the error page under control, it is possible to perform social engineering attacks on the very same page. The following Proof-of-Concept triggers this vulnerability by injecting a base64-encoded data URI and a spoofed content text for the title and link message: https://localhost/error?title=Unknown%20Error&link=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=&linkmessage=http://mattermost.org&message=Something%20went%20wrong%20with%20the%20provided%20link,%20open%20it%20with%20a%20right%20click%20instead! The payload is afterwards reflected within the response body: <div class="error__container"><div class="error__icon"><i class="fa fa-exclamation-triangle"></i></div><h2>Unknown Error</h2><div><p>Something went wrong with the provided link, open it with a right click instead!</p> </div><a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">http://mattermost.org</a></div> 6. RISK ======= To successfully exploit this vulnerability an authenticated or unauthenticated user must be tricked into visiting a prepared link provided by the attacker. Once on the "/error" page, the user must also be tricked into opening the link in a new tab or window, which can be accomplished by spoofing the other elements of the error page. The vulnerability can be used to temporarily embed arbitrary script code into the context of the Mattermost error page, which offers a wide range of possible attacks such as redirecting the user to a malicious page or attacking the browser and its plugins. Since session-relevant cookies are protected with the HttpOnly flag, it is not possible to hijack sessions. 7. SOLUTION =========== Update to Mattermost v3.6.0. 8. REPORT TIMELINE (DD/MM/YYYY) =============================== 02/12/2016: Discovery of the vulnerability 02/12/2016: Created support ticket #2231 with preset disclosure date set to 16/01/2017 12/12/2016: No response, sent out another notification 12/12/2016: Vendor confirms the vulnerability 03/01/2017: No further response, sent reminder about the disclosure date 16/01/2017: Vendor releases v3.6.0 which fixes this vulnerability 18/01/2017: Advisory released 9. REFERENCES ============= -
Attachment:
signature.asc
Description: OpenPGP digital signature