[RCESEC-2016-012] Mattermost <= 3.5.1 "/error" Unauthenticated Reflected Cross-Site Scripting / Content Injection

--XcDc3rpECsRelDxJj2pP94M3nj0phrHhg
Content-Type: multipart/mixed; boundary="ihoE1S35EwmwgfOWGiNA0GFi8DPBdqsLi";
 protected-headers="v1"
From: Julien Ahrens <info@rcesecurity.com>
To: bugtraq@securityfocus.com
Message-ID: <8ab8d85b-5031-95fa-f8db-b1c3310c90ad@rcesecurity.com>
Subject: [RCESEC-2016-012] Mattermost <= 3.5.1 "/error" Unauthenticated
 Reflected Cross-Site Scripting / Content Injection

--ihoE1S35EwmwgfOWGiNA0GFi8DPBdqsLi
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Product:        Mattermost
Vendor URL:     www.mattermost.org
Type:           Cross-site Scripting [CWE-79]
Date found:     02/12/2016
Date published: 16/01/2017
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:            -


2. CREDITS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Mattermost v3.5.1
Mattermost v3.5.0
older versions may be affected too.


4. INTRODUCTION
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Mattermost is an open source Slack-alternative built for enterprise.
Thousands of companies use Mattermost for workplace messaging across
web, PC and phones with archiving, search, corporate directory
integration and connectivity to over 700 third party applications.
Available under MIT license in 11 languages Mattermost offers
peace-of-mind, value, control, and freedom from lock-in for
organizations around the world.


5. VULNERABILITY DETAILS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The Mattermost "/error" page is vulnerable to an unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to
the HTTP GET parameter "link" is processed by the web application. Since
the application does not properly validate and sanitize this parameter,
it is possible to set the return link, which is part of the error page,
to a base64 encoded DATA URI. This could be used to execute arbitrary
JavaScript code in the context of an authenticated as well as
unauthenticated user.

There is one restriction which reduces the attack likelihood: Due to
JavaScript validations it is not possible to execute the payload by a
simple click on the return link, but instead it must be opened in a new
browser tab or window. However since an attacker does also have all
other text elements (HTTP GET parameters "title" and "linkmessage") of
the error page under control, it is possible to perform social
engineering attacks on the very same page.

The following Proof-of-Concept triggers this vulnerability by injecting
a base64-encoded data URI and a spoofed content text for the title and
link message:

https://localhost/error?title=3DUnknown%20Error&link=3Ddata:text/html;bas=
e64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=3D&linkmessage=3Dhttp://matte=
rmost.org&message=3DSomething%20went%20wrong%20with%20the%20provided%20li=
nk,%20open%20it%20with%20a%20right%20click%20instead!

The payload is afterwards reflected within the response body:

<div class=3D"error__container"><div class=3D"error__icon"><i class=3D"fa=

fa-exclamation-triangle"></i></div><h2>Unknown
Error</h2><div><p>Something went wrong with the provided link, open it
with a right click instead!</p>
</div><a
href=3D"data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=3D"=
>http://mattermost.org</a></div>


6. RISK
=3D=3D=3D=3D=3D=3D=3D
To successfully exploit this vulnerability an authenticated or
unauthenticated user must be tricked into visiting a prepared link
provided by the attacker. Once on the "/error" page, the user must also
be tricked into opening the link in a new tab or window, which can be
accomplished by spoofing the other elements of the error page.

The vulnerability can be used to temporarily embed arbitrary script code
into the context of the Mattermost error page, which offers a wide range
of possible attacks such as redirecting the user to a malicious page or
attacking the browser and its plugins. Since session-relevant cookies
are protected with the HttpOnly flag, it is not possible to hijack sessio=
ns.


7. SOLUTION
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Update to Mattermost v3.6.0.


8. REPORT TIMELINE (DD/MM/YYYY)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
02/12/2016: Discovery of the vulnerability
02/12/2016: Created support ticket #2231 with preset disclosure date
            set to 16/01/2017
12/12/2016: No response, sent out another notification
12/12/2016: Vendor confirms the vulnerability
03/01/2017: No further response, sent reminder about the disclosure date
16/01/2017: Vendor releases v3.6.0 which fixes this vulnerability
18/01/2017: Advisory released


9. REFERENCES
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-


--ihoE1S35EwmwgfOWGiNA0GFi8DPBdqsLi--

--XcDc3rpECsRelDxJj2pP94M3nj0phrHhg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYf9PeAAoJELLTnL9hzYr6zOcQAJkizUg72+rDhCjhlvHz+RZ3
lAZpnt85sG9qn6euJnRX67Ht56q15jXvGAc675houTCLm4xvE7iV6rVFzFWFahR5
L/0AWb+RNYTKtvR0LnN2uElt8On80zbWV50TBBPZsdJUkQRvpK0SujMvzoEigmcf
PESeCsdO0CrBS9h1MTsGvq53kFrePnCkpi7GCAGlU3LOhtP1rup2I5s577hIhu7K
v+/YYV2UxqXwBQ3x+AzaOqQ4tAv2/AFCuTPgeQNytEXGUu7Nb87HC1f1fokt5IUg
BLzUHG5JyPdzPCP1E6lzUab+6MXX/soQmQEhSVXgDT3B7q0R7inTMq9OAB7tw4YL
cQoMornaDi64CQD5kdiqi/u0wbDdPFRIve71bDG4T0mTYXUXkIBTfTOuMj/wf/sr
MaC6gOFdzLPTdAC/4OUXDFvOqpJspJpW2G+rNP5iJEnc0jJZ4J+AY93IN7AxmEKR
wCNeSbtXhLtVB05qbrWMJYJwfarPH6asFSBn4OmE+qSkymCisCnrEcFR8ew0MWIQ
uTUPWiTkIqHlVBuuRk58LW3EWD0U0R24v3rDq5buXYeLbFG6IkfHmeqBfmiMw3R4
F2G2MmjjFgP9j3Hqfcb2bVUDqaKq8pqYZo/Uyg5uZIynQhzJeB2+7n3HjiArWip4
IWP7NsACMYBqMQ8T/cKW
=Yd4k
-----END PGP SIGNATURE-----

--XcDc3rpECsRelDxJj2pP94M3nj0phrHhg--