Security Advisory 7

Date: 2014-11-01

A potentially significant security issue has been reported on all versions of Alfresco. Alfresco has developed a fix for Enterprise Edition and released it via the Service Pack process. Alfresco strongly recommends all customers immediately apply the provided fixes. All users of Alfresco Community Edition should upgrade to Alfresco Community Edition 5.0.b. Details of this issue are available under the heading “File Download Vulnerability”.

Two medium-impact security issues have also been raised, potentially exposing Alfresco users to attacks from injected JavaScript and iFrames. The details for these two issues and their fixes are available under the headings “TaskID Injection” and “Control Wrapper Injection”.

File Download Vulnerability

Severity: High

Impact: Exposure of server filesystem

Exploitable: Remotely by authenticated users with administrative permissions

Related Issues: MNT-12301

Affects: All currently active versions of Alfresco prior to the fix versions listed below are impacted by this issue.

Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One version 4.2.3.3, Alfresco Enterprise 4.1.9.4, Alfresco Enterprise 4.0.2.47, Alfresco Enterprise 3.4.14.10. Alfresco Community Edition 5.0.b is not vulnerable to this issue.

Description

An authenticated Alfresco administrator can craft a URL to download any file on the file system, as long as the user account that the Alfresco web application server is running under has access to read the file. Exploitation of this vulnerability can result in exposing file system files via an Alfresco download link to an Alfresco administrator who doesn’t have appropriate user permissions for the files exposed. Please note, this exploitation can only be performed by Alfresco administrators, not by the general public, or non-administrator users.

This can be done by logging in as the administrator and browsing to:
http://serverort/alfresco/dr?contentUrl=store://../../../../../../../../../../../../etc/passwd

Mitigation Strategies: To mitigate this vulnerability in existing versions of Alfresco, ensure that the user account which is used by the Alfresco web application only has access to files which are necessary for it to run. The issues is also mitigated by restricting access to the alfresco tier of the application.

TaskID Injection

Severity: Medium

Impact: Various injection vulnerabilities

Exploitable: Remotely via a crafted malicious URL sent to an authenticated user

Related Issues: MNT-12234

Affects: All currently active versions of Alfresco Share prior to the fix versions listed below are impacted by this issue.

Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One version 4.2.3.3, Alfresco Enterprise 4.1.9.4, Alfresco Enterprise 4.0.2.49, Alfresco Enterprise 3.4.14.10. Alfresco Community Edition 5.0.b is not vulnerable to this issue.

Description

An attacker can inject JavaScript into a URL in a way that it can be run in a victim's browser.

The attacker can craft a malicious URL based on the workflow-details webscript. The taskId parameter can be made to include malicious javascript. Once the attacker has managed to trick a user who is logged into Alfresco into clicking the link, the user will be presented with a legitimate page from Share. However, if the user then clicks on the 'Task Details' link, the embedded JavaScript will be run in the user's browser.

Mitigation Strategies: Educating users to not click on unsolicited URLs and to manually navigate to relevant pages instead of relying on hyperlinks can help to mitigate the effects of this vulnerability.

Control Wrapper Injection

Severity: Medium

Impact: Injection of JavaScript, iFrames, and URLs

Exploitable: Remotely via a crafted malicious URL sent to an authenticated user

Related Issues: MNT-12392

Affects: All currently active versions of Alfresco prior to the fix versions listed below are impacted by this issue.

Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One version 4.2.3.3, Alfresco Enterprise 4.1.9.4, Alfresco Enterprise 4.0.2.49, Alfresco Enterprise 3.4.14.10. Alfresco Community Edition 5.0.b is not vulnerable to this issue.

Description

An attacker can craft a malicious POST request based on the control-wrapper form component. The parameters can be made to include malicious javascript, malicious iFrame links and malicious URLs.

Once the attacker has managed to trick a user who is logged into Alfresco into submitting the link, the user will be presented with a legitimate page from Share. However, depending on the exact attack used, JavaScript could be run in the browser, or the browser could be made to request content from other sites without the user's knowledge.

All the attacks require an HTTP POST request, so a simple url is not sufficient. One example of the post request would be:

https://<server>:<port>/share/service/components/form/control-wrapper
Content-Type: application/x-www-form-urlencoded
 X-Requested-With: application/json
 ....
 htmlid=alf-id4%27%22%3E%3Ciframe+id%3D808+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E&type=date&name=schedule.start.iso8601&label=Start%20Date&value=&controlParams=%7B%22showTime%22%3A%22true%22%7D&field=%7B%22mandatory%22%3Atrue%7D

The targeted control is only used by Alfresco Administrators, so non-administrator users are not affected.

Mitigation Strategies: Educating users to not click on unsolicited URLs and to manually navigate to relevant pages instead of relying on hyperlinks can help to mitigate the effects of this vulnerability. This attack specifically targets administrative users. Admin users should take special care in regards to unsolicited URLs.