Hash: SHA512
Advisory ID: SYSS-2019-046
Product: Micro Focus Vibe (formerly Novelle Vibe)
Manufacturer: Micro Focus International plc
Affected Version(s): 4.0.6
Tested Version(s): 4.0.6
Vulnerability Type: HTML Injection (CWE-79)
Risk Level: Low
Solution Status: Fixed
Manufacturer Notification: 2019-11-07
Solution Date: 2020-03-24
Public Disclosure: 2020-03-25
CVE Reference: Not assigned
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Micro Focus Vibe is a web-based team collaboration platform that
can
serve as a knowledge repository, document management system,
project
collaboration hub, process automation machine, corporate intranet
or
extranet [1].
The manufacturer describes the product as follows (see [2]):
"Micro Focus Vibe (formerly Novell Vibe) brings people,
projects, and
processes together in one secure place to enhance team productivity
--
no matter where the team is or what devices they use."
Due to insufficient server-side validation of user input, Vibe
is
vulnerable to injection of malicious HTML markup into file
titles.
(For a related vulnerability, see our advisory SYSS-2019-047
[3])
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
In Vibe, an uploaded file can be assigned a title that is
different
from the filename. While HTML markup is not allowed in filenames,
it is
partially accepted in file titles. This behavior poses a low to
medium
security risk, because it can be exploited by an authenticated
attacker
to inject malicious HTML markup into the title of a file uploaded
by
the attacker. For instance, the attacker can submit an external
link as
a file title, thus changing Vibe's expected behavior upon clicking
on
the title -- the malicious external resource will be requested
instead
of the internal page of the uploaded file. With a little social
engineering, authenticated victims can be tricked into submitting
their
Vibe credentials to the attacker's server, by directing the
victim's
browser to a fake Vibe login page and prompting the victim to log
in
again, because of an alleged error.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
An authenticated attacker uploads a file with, e.g., the
following
title:
</a><a href="https://evil.me/fakeVibeLogin.html">Meaningful Title
An authenticated victim sees the title "Meaningful Title" on the
list of
latest uploads and clicks on it. The victim's browser is directed
to the
fake Vibe login page with the URL
https://evil.me/fakeVibeLogin.html.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Upgrade Vibe to version 4.0.7.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2019-10-27: Vulnerability discovered
2019-11-07: Vulnerability reported to manufacturer
2020-03-24: Patch released by manufacturer
2020-03-25: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] WikipediA Article on Novelle Vibe
https://en.wikipedia.org/wiki/Novell_Vibe
[2] Product website for Micro Focus Vibe
https://www.microfocus.com/en-us/products/micro-focus-vibe/overview
[3] SySS Security Advisory SYSS-2019-047
Stored Cross-Site Scripting (XSS) in Micro Focus Vibe
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-047.txt
[4] SySS Security Advisory SYSS-2019-046
HTML Injection in Micro Focus Vibe
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-046.txt
[5] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found
by Dr. Vladimir Bostanov of SySS GmbH.
E-Mail:
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Vladimir_Bostanov.asc
Key ID: 0xA589542B
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589
542B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided
"as is"
and without warranty of any kind. Details of this security
advisory
may be updated in order to provide as accurate information as
possible.
The latest version of this security advisory is available on
the
SySS GmbH web site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEESYnFn9VL6SY6geN8p6kYSKWJVCsFAl59+8YaHHZsYWRpbWly
LmJvc3Rhbm92QHN5c3MuZGUACgkQp6kYSKWJVCslug/7BVr87qoAM5WGun8hfUy3
oBgteVtVpAXUMymZktz+NsBL2oN0cLbZ4m0rKMewFN20xRz4AAl6bfN6+2tloKPI
giP6KLAo99Zps1xAGoUVeYvotPeBTG7tV89WBjRVCLIFOw0xBmUZ5dtejkyXfkQw
TGe+DILUxrPLKNZQ7rMuXN89YQZ9QblNxB5z9Dn0W53awrgAGEx6ef2iyJanyrJ/
Gt5+HLrMFumPsWKadYklS31o1R0wVONnAb21H9IC5n8VBK1hSZbrpdzOPgjxr4jV
V9znqC1VeOUrGqUlAClg+3i5uzQ/cqsl5VZRnmhBGNwC0yINUE6Ema8GIXUCFCdT
J/ZneuI9X0AJFNxToqy2WRQQBLRehi7OlgS18+T7Ud18Ie+v+8vNPS2dJoC7Og/p
YKAxjqGUEvFqNzZD7TAoDgXTpsFOM3/HgymrbiI32QtJ7GjP5XbsrsM+euhTV30W
ckvuwaHqYH9CgTdcKosmy0Zr4LBRNv7+4YQBZhxiRUiohUF5wMzWeQDTkJSb1gDV
UpPk6J9eflIEv4aX07+7rJx/ukhKUUy6tgmbJsuhT7e5r59FHd9a2VTx7k+Omqqs
BdSK7BIHMVXFI45sR/k7EJgnRLpVgo2MNdRuikIR+DwD0BuuY41no/6YGLUDRfdZ
TThuN0FOmUqT7Fu9L22xtOc=
=o5ws
-----END PGP SIGNATURE-----
