The vulnerability (CVE-2017-1500) lingered in the products, Worklight and MobileFirst, for almost a year. Gabriele Gristina, a security consultant for the Italian information security firm Emaze Networks, first found the bug last summer, on August 29, 2016.
— Matrix (@gm4tr1x) August 1, 2017
Gristina found the vulnerability, technically a reflected XSS in the products’ OAuth Server’s Web API, while performing a penetration test on a mobile app. The app he was pentesting didn’t have any bugs, but he was surprised when he encountered a vulnerability in the framework itself.
“Generally I always find many security issues in every ‘target,’” Gristina told Threatpost, “When I tested this mobile application I found minor issues and I did not believe it so I started to fuzz the IBM security framework and after a little while I found the XSS vulnerability.”
The app was written using MobileFirst, a mobile application development platform formerly known as Worklight, made by IBM. The product lets developers build apps, see how they look on different devices, and manage how push notifications from the apps are sent to devices.
The problem, Gristina says, is that the framework didn’t properly validate the untrusted input in a GET parameter present in an authorization function exposed by the RESTful web API.
“In detail the logout functionality return a HTTP 403 Forbidden if the value of the ‘scope’ parameter is not defined in the ‘authenticationConfig.xml’ and reflect it without a proper validation in the response body,” Gristina wrote in a disclosure – accompanied by a proof-of-concept – on Wednesday.
The researcher adds that exploiting the vulnerability would be relatively easy, an attacker would just have to append a payload to the original value present in the GET parameter “scope.”
IBM confirmed the vulnerability in an entry on its X-Force Exchange service on Monday and said it would require a low level of complexity and privileges to exploit. The vulnerability received a modest CVSS 3.0 base score of 5.4 but could let a user embed arbitrary code in the Web UI, something that would alter the intended functionality and in turn, lead to credential disclosure in a trusted session, IBM warned.
The company pushed patches to remedy the flaw in two affected products, Worklight Enterprise Edition and MobileFirst Platform Foundation, two weeks ago, according to Gristina.
It’s unclear why it took IBM so long to patch the vulnerability. Gristina told Threatpost Wednesday he’s been wondering the same thing.
“Probably a business choice? Certainly I do not think it is a technical problem, since the solution is very simple,” Gristina said.
Until updated, versions 6.1 and 6.2 of Worklight and 6.3, 7.0, 7.1, and 8.0 of MobileFirst are vulnerable. Users can download the fixes, bringing the platform to versions 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, via IBM’s FixCentral portal.