Date: 2014-11-01
A potentially significant security issue has been reported on all versions of Alfresco. Alfresco has developed a fix for Enterprise Edition and released it via the Service Pack process. Alfresco strongly recommends all customers immediately apply the provided fixes. All users of Alfresco Community Edition should upgrade to Alfresco Community Edition 5.0.b. Details of this issue are available under the heading “File Download Vulnerability”.
Two medium-impact security issues have also been raised, potentially exposing Alfresco users to attacks from injected JavaScript and iFrames. The details for these two issues and their fixes are available under the headings “TaskID Injection” and “Control Wrapper Injection”.
Severity: High
Impact: Exposure of server filesystem
Exploitable: Remotely by authenticated users with administrative permissions
Related Issues: MNT-12301
Affects: All currently active versions of Alfresco prior to the fix versions listed below are impacted by this issue.
Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One version 4.2.3.3, Alfresco Enterprise 4.1.9.4, Alfresco Enterprise 4.0.2.47, Alfresco Enterprise 3.4.14.10. Alfresco Community Edition 5.0.b is not vulnerable to this issue.
An authenticated Alfresco administrator can craft a URL to download any file on the file system, as long as the user account that the Alfresco web application server is running under has access to read the file. Exploitation of this vulnerability can result in exposing file system files via an Alfresco download link to an Alfresco administrator who doesn’t have appropriate user permissions for the files exposed. Please note, this exploitation can only be performed by Alfresco administrators, not by the general public, or non-administrator users.
This can be done by logging in as the administrator and browsing to:
http://serverort/alfresco/dr?contentUrl=store://../../../../../../../../../../../../etc/passwd
Mitigation Strategies: To mitigate this vulnerability in existing versions of Alfresco, ensure that the user account which is used by the Alfresco web application only has access to files which are necessary for it to run. The issues is also mitigated by restricting access to the alfresco tier of the application.
Severity: Medium
Impact: Various injection vulnerabilities
Exploitable: Remotely via a crafted malicious URL sent to an authenticated user
Related Issues: MNT-12234
Affects: All currently active versions of Alfresco Share prior to the fix versions listed below are impacted by this issue.
Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One version 4.2.3.3, Alfresco Enterprise 4.1.9.4, Alfresco Enterprise 4.0.2.49, Alfresco Enterprise 3.4.14.10. Alfresco Community Edition 5.0.b is not vulnerable to this issue.
An attacker can inject JavaScript into a URL in a way that it can be run in a victim's browser.
The attacker can craft a malicious URL based on the workflow-details webscript. The taskId parameter can be made to include malicious javascript. Once the attacker has managed to trick a user who is logged into Alfresco into clicking the link, the user will be presented with a legitimate page from Share. However, if the user then clicks on the 'Task Details' link, the embedded JavaScript will be run in the user's browser.
Mitigation Strategies: Educating users to not click on unsolicited URLs and to manually navigate to relevant pages instead of relying on hyperlinks can help to mitigate the effects of this vulnerability.
Severity: Medium
Impact: Injection of JavaScript, iFrames, and URLs
Exploitable: Remotely via a crafted malicious URL sent to an authenticated user
Related Issues: MNT-12392
Affects: All currently active versions of Alfresco prior to the fix versions listed below are impacted by this issue.
Fixed in: Alfresco has released hotfix versions on the latest service pack for all the currently supported major versions: Alfresco One version 4.2.3.3, Alfresco Enterprise 4.1.9.4, Alfresco Enterprise 4.0.2.49, Alfresco Enterprise 3.4.14.10. Alfresco Community Edition 5.0.b is not vulnerable to this issue.
An attacker can craft a malicious POST request based on the control-wrapper form component. The parameters can be made to include malicious javascript, malicious iFrame links and malicious URLs.
Once the attacker has managed to trick a user who is logged into Alfresco into submitting the link, the user will be presented with a legitimate page from Share. However, depending on the exact attack used, JavaScript could be run in the browser, or the browser could be made to request content from other sites without the user's knowledge.
All the attacks require an HTTP POST request, so a simple url is not sufficient. One example of the post request would be:
https://<server>:<port>/share/service/components/form/control-wrapper
Content-Type: application/x-www-form-urlencoded
X-Requested-With: application/json
....
htmlid=alf-id4%27%22%3E%3Ciframe+id%3D808+src%3Dhttp%3A%2F%2Fdemo.testfire.net%2Fphishing.html%3E&type=date&name=schedule.start.iso8601&label=Start%20Date&value=&controlParams=%7B%22showTime%22%3A%22true%22%7D&field=%7B%22mandatory%22%3Atrue%7D
The targeted control is only used by Alfresco Administrators, so non-administrator users are not affected.
Mitigation Strategies: Educating users to not click on unsolicited URLs and to manually navigate to relevant pages instead of relying on hyperlinks can help to mitigate the effects of this vulnerability. This attack specifically targets administrative users. Admin users should take special care in regards to unsolicited URLs.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.