Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
24 changed files
with
475 additions
and
114 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,21 @@ | ||
| サイボウズ脆弱性報奨金制度 | ||
| ==== | ||
| このレポジトリは 「サイボウズ脆弱性報奨金制度」に関する詳細文書を保管することを目的としています。 | ||
| 「サイボウズ脆弱性報奨金制度」の概要については、以下をご参照ください。 | ||
| 脆弱性認定ガイドライン / Vulnerability Identification Guidelines | ||
| === | ||
|
|
||
| [サイボウズ脆弱性報奨金制度](http://cybozu.co.jp/company/security/bug-bounty/) | ||
|
|
||
| ## 脆弱性認定ガイドライン | ||
| サイボウズが脆弱性情報を報告いただいた際に、脆弱性の認定可否を判断する際に使用するガイドラインを公開する物です。 | ||
| サイボウズが脆弱性情報を報告いただいた際に、脆弱性の認定可否を判断する際に使用するガイドラインを公開するリポジトリです。 | ||
| 今後脆弱性情報を追記していくことを予定しています。 | ||
| [scope](scope/) | ||
| [Japanese](jp/scope/) | ||
|
|
||
| This document is a guideline to make a judgement about vulnerability. | ||
| We will add vulnerability information at a later date. | ||
| [English](en/scope) | ||
|
|
||
| ## サイボウズ脆弱性報奨金制度 / Cybozu Bug Bounty Program | ||
| サイボウズでは「脆弱性報奨金制度」を実施しています。 | ||
| 「サイボウズ脆弱性報奨金制度」の概要については、以下をご参照ください。 | ||
| [サイボウズ脆弱性報奨金制度](http://cybozu.co.jp/company/security/bug-bounty/) | ||
|
|
||
| Cybozu organizes bug bounty program by ourself. | ||
| If you want to know about the program, please confirm below. | ||
| [Cybozu Bug Bounty Program](https://cybozu.co.jp/products/bug-bounty/en/) | ||
|
|
||
| Copyright (C) Cybozu, Inc | ||
| Copyright (C) Cybozu, Inc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| CSV Excel Macro Injection(CEMI) | ||
| ==== | ||
|
|
||
| ## Vulnerability Overview | ||
|
|
||
| Many web applications allow users to download template files for settings such as user preferences. Many users may also choose to open CSV files in Excel, Libre Office, or Open Office. If web applications do not verify the contents of CSV files properly, entries in cells of the files may be executed as macros. | ||
|
|
||
| CSV Excel Macro Injection is an attack technique that abuses the trust of users. "The trust of users" mentioned here refers to the following: | ||
|
|
||
| 1. Users trust sites in which contents are stored. | ||
| 2. Users assume that their downloaded files are simple CSV files and that the files do not contain any functions or macros. | ||
|
|
||
| Therefore, users seldom heed warnings from Excel about possible malicious functions in downloaded files. | ||
|
|
||
| ## Is This Identified as a Vulnerability? | ||
| No | ||
|
|
||
| ## Reason This Is Not Identified as a Vulnerability | ||
|
|
||
| Cybozu has confirmed that some of such cases in other companies have been fixed. | ||
|
|
||
| > 90131 CSV Excel Macro Injection Vulnerability in export customer tickets Zendesk rewarded psychomantis with a $100 bounty for CSV Excel Macro Injection Vulnerability in export customer tickets. Zendesk resolved CSV Excel Macro Injection Vulnerability in export customer tickets that was submitted by psychomantis. | ||
| > [CSV Excel Macro Injection Vulnerability in export customer tickets](https://hackerone.com/reports/90131) | ||
| To prevent this vulnerability from manifesting, CSV data output from products must be modified. Specifically, if the entry of a cell begins with a symbol: '=', '+', or '-', the entry will have an additional single quotation mark (') at the beginning. However, in that case, CSV data cannot begin with a single quotation mark. We determined this solution to be unacceptable because the minus (-) sign in particular is frequently used. | ||
|
|
||
| We asked Microsoft about Excel specifications and got the answer below: | ||
|
|
||
| > Microsoft determines this case is not a vulnerability because the reported behavior occurs only when macros are enabled by users. For more information on Microsoft's definition of vulnerabilities and their immutable laws of security, also see the following web site. | ||
| > | ||
| > [Definition of a "Security Vulnerability"](http://technet.microsoft.com/ja-jp/library/gg983510.aspx) | ||
| > [Ten Immutable Laws of Security](https://technet.microsoft.com/ja-jp/library/gg983506.aspx#E1) | ||
| In light of this, we have conclusively decided not to treat the CSV Excel Macro Injection issue as vulnerability. | ||
|
|
||
| ## References | ||
|
|
||
| The description of the "Vulnerability Overview" section is an excerpt from the following source: | ||
|
|
||
| [CSV Excel Macro Injection](https://www.owasp.org/index.php/CSV_Excel_Macro_Injection) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| Cross Site Request Forgery(CSRF) | ||
| ==== | ||
|
|
||
| ## Vulnerability Overview | ||
| Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state changing requests. As the attacker has no way to see the response to the forged request, no data is stolen during these attacks. With a little help from social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim has administrative permissions, CSRF can compromise the entire web application. | ||
|
|
||
| ## Is This Identified as a Vulnerability? | ||
| Yes | ||
|
|
||
| ## Points That Need Protection Against This Vulnerability (Scope) | ||
| Processes that involve data modifications require protection against CSRF. | ||
|
|
||
| ### Examples of APIs That Need Protection Against CSRF | ||
| * User login | ||
| * APIs for changing data on servers and user authentication | ||
|
|
||
| ## Reason This Is Not Identified as a Vulnerability | ||
| The following processes involve updating data on servers. However, since the damage from the attack can be difficult to predict, we do not identify these processes as vulnerability. | ||
|
|
||
| * Logout process | ||
| * APIs that modify data as a side effect of GET (example: marking notifications as read) | ||
| * APIs for modifying data to maintain UI state (example: opening and closing processes for folders) * Excludes settings related to access permissions | ||
|
|
||
| ## References | ||
| The description of the "Vulnerability Overview" section is an excerpt from the following source: | ||
|
|
||
| [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| PDF FormCalc Attack | ||
| ==== | ||
|
|
||
| ## Vulnerability Overview | ||
|
|
||
| "PDF FormCalc Attack" is an attack technique that uses FormCalc, which is the operation language that was developed by Adobe. It was disclosed by Alexander Inführ at APPSEC EU 2015. | ||
| [https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-infuhr.pdf](https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-infuhr.pdf) | ||
| The key point of the attack is that using FormCalc can provide the ability to issue requests at the origin where PDF files were uploaded. | ||
|
|
||
| By exploiting the ability, attackers can send requests with a victim's cookies or CSRF protection tokens, which means that by using the privileges of a victim viewing a malicious site, attackers can execute any code on a specific product. | ||
|
|
||
| Users that meet any of the following conditions may be affected by the attack: | ||
|
|
||
| 1. Using applications with a function for uploading PDF files | ||
| 2. Have Adobe PDF Reader Plugin enabled on Microsoft Internet Explorer or Mozilla Firefox | ||
|
|
||
| The issue in which send cross-origin requests can be sent (CVE-2014-8453) has been fixed by Adobe. | ||
| Nevertheless, in Adobe's opinion, sending requests within the same origin is not regarded as vulnerability. | ||
|
|
||
| > From our perspective, website owners must realize that PDF is active content, and serving user-uploaded/malicious PDFs from a non-throwaway domain is effectively an XSS (just like hosting an arbitrary/malicious HTML). | ||
| ## Is This Identified as a Vulnerability? | ||
| No | ||
|
|
||
| ## Reason This Is Not Identified as a Vulnerability | ||
| For this issue, storing user content in a Sandbox Domain can reduce some degree of risk. | ||
| We recognize that many companies offering notable services, including Google, have implemented the above solution. | ||
| On the other hand, a specification of Cybozu products is that user uploaded content is stored in the same origin as the one running the programs. | ||
| For this specification to be amended, incompatible specifications must be modified. Such modification will cause a great burden on users. | ||
| Customers using the on-premise version in particular will encounter difficulties in configuring a different origin for storing user content. | ||
| In conclusion, given that the reproduced conditions are limited (meaning that using third party products is the prerequisite of the attack), we developed our own policy to handle this case as a restriction. | ||
|
|
||
| You can find information about restrictions on the following web page: | ||
| * [cybozu.com Restrictions](https://www.cybozu.com/jp/service/restrictions.html) | ||
| * [Understanding Usage of Adobe Acrobat Reader Plugin (2016/11/11)](https://cs.cybozu.co.jp/2016/006288.html) | ||
|
|
||
| When you are using Microsoft Internet Explorer or Mozilla Firefox, we recommended that you disable the Acrobat Reader Plugin if it is enabled. For checking and configuring your settings, see the following web pages: | ||
|
|
||
| * [Manage add-ons in Internet Explorer 11](https://support.microsoft.com/ja-jp/help/17447/windows-internet-explorer-11-manage-add-ons) | ||
| * [Use plugins to play audio, video, games and more](https://support.mozilla.org/ja/kb/use-plugins-play-audio-video-games) | ||
|
|
||
| ## References | ||
| * [JVNTA#94087669 Stealing Information with Crafted PDF Files](https://jvn.jp/ta/JVNTA94087669/) | ||
| * [Hack Patch!-PDF Special Features (for FormCalc)](https://shhnjk.blogspot.jp/2016/10/pdfformcalc.html) | ||
| * [InsertScript-Multiple PDF Vulnerabilities - Text and Pictures on Steroids](http://insert-script.blogspot.jp/2014/12/multiple-pdf-vulnerabilites-text-and.html) | ||
|
|
||
| ## Trademarks of Other Companies: | ||
| All company names, system names, and product names appearing in this document are registered trademarks or trademarks of their respective holders. | ||
| Trademark symbols, '™' and '®', are not indicated in this document. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| Vulnerability Identification Guidelines | ||
| ==== | ||
| This is a repository for Cybozu to publish the guidelines that are used in vulnerability identification when we receive reports on vulnerability information. | ||
|
|
||
| ## What Have Been Identified as Vulnerabilities | ||
|
|
||
| * [Cross Site Request Forgery (CSRF)](CSRF.md) | ||
| * [Sensitive Data Exposure](SensitiveDataExposure.md) | ||
| * [Reflected File Download](ReflectedFileDownload.md) | ||
| * [Vulnerability In Third-party Products](VulnerabilityInThird-partyProducts.md) | ||
| * [Vulnerability In WordPress](VulnerabilityInWordPress.md) | ||
| * [X-Frame-Options:SAMEORIGIN Output Defects](x-frame-options.md) | ||
|
|
||
| For other identified vulnerabilities, see the following document: | ||
| [Vulnerability Information Handling Policy](http://www.slideshare.net/cybozucommunity/ss-30074325/18) | ||
|
|
||
| Detailed identification conditions will be added at a later date. | ||
|
|
||
| ## What Are NOT Identified as Vulnerabilities | ||
| * [CSV Excel Macro Injection(CEMI)](CEMI.md) | ||
| * [PDF FormCalc Attack](PDFFormCalcAttack.md) | ||
| * [Tabnabbing.md](Tabnabbing.md) | ||
|
|
||
| Copyright (C) Cybozu, Inc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| Reflected File Download | ||
| ==== | ||
|
|
||
| ## Vulnerability Overview | ||
| Reflected File Download (RFD) is an attack technique that was presented by Oren Hafif at Black Hat Europe 2014. [https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf](https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf) | ||
|
|
||
| RFD allows the attacker to execute commands on the OS level of the victim's client computer. | ||
| In an RFD attack, the attacker prepares a malicious link and then directs a user on a trusted domain to the malicious link for downloading a malicious file. | ||
| When the victim opens the downloaded file from the trusted domain, OS commands (or scripts) that were prepared by the attacker are executed on the victim's computer. | ||
|
|
||
| Oren Hafif says that there are three requirements for a successful RFD attack: | ||
|
|
||
| 1. Reflected – Some user input is being "reflected" to the response content. (This is used to inject shell commands.) | ||
| 2. Filename – The URL of the vulnerable site or API is permissive, and accepts additional input. (This is often the case, and is used by attackers to set the extension of the file to an executable extension.) | ||
| 3. Download – The content of the response is downloaded as a file via the Web browser. (The browser then sets the filename by adding '(2)' to the name.) | ||
|
|
||
| ## Is This Identified as a Vulnerability? | ||
| Yes | ||
|
|
||
| ## Points That Need Protection Against This Vulnerability (Scope) | ||
| The points that meet all RFD requirements described in the "Vulnerability Overview" section are identified as RFD vulnerability. | ||
| However, RFD vulnerabilities in which file names and extensions can be tampered with during download will not be added to the bug bounty program hereafter. | ||
| In this case, the information may be publicly published with the assumption that the vulnerability will not be fixed. | ||
| Even in circumstances where extensions and file names can be overwritten, since the direct impact does not increase, we have assessed that the impact will be of low significance. | ||
| For Cybozu product users, a feature of our products is the ability to upload any files. | ||
| For non-Cybozu product users, some method is required for uploading a specific file through phishing and other techniques. | ||
| In addition, RFD vulnerabilities that can overwrite the contents of a file during download will be identified as new vulnerabilities. | ||
|
|
||
| Certain cases may be handled as similar cases of a vulnerability. For example, different processes that use the same logic expose a vulnerability in several places. | ||
|
|
||
| For more information, see []"Cybozu Bug Bounty Program Rulebook"](https://cybozu.co.jp/company/security/bug-bounty/guideline.pdf). | ||
|
|
||
| ## References | ||
|
|
||
| The description of requirements for a successful RFD attack is an excerpt from the following source: | ||
| * [Reflected File Download a New Web Attack Vector](https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector-wp.pdf) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| Sensitive Data Exposure | ||
| ==== | ||
|
|
||
| ## Overview | ||
| This document summarizes information that is treated as vulnerability when a possible information leak may occur due to product specifications/defects. | ||
|
|
||
| ## Is This Identified as a Vulnerability? | ||
| Yes. | ||
| We identify cases in which authentication information and similar information are leaked as vulnerabilities. Cases in which other types of information are leaked will not be considered vulnerabilities. | ||
|
|
||
| ### Information That Is Similar to Authentication Information | ||
| The following types of information are included: | ||
|
|
||
| * Information from which the presence of an account can be deduced | ||
| URL information that was only sent to specific persons (example: a URL that was sent to a user for a password reset, etc.) | ||
| * CSRF tokens (excluding cases in which users can use their own privileges to get a CSRF token for logged-in users) | ||
|
|
||
| ## Points That Need Protection Against This Vulnerability (Scope) | ||
| Cases in which the following information may be potentially leaked due to product specifications or defects outputting the information to logs, e-mail headers, or HTTP headers will be handled as vulnerabilities: | ||
|
|
||
| * Authentication information and similar information | ||
|
|
||
| In addition, cases in which processing related error messages (stack traces, etc.) are displayed on screens shall be similarly handled as vulnerabilities. | ||
|
|
||
| ## Reason This Is Not Identified as a Vulnerability | ||
| Cases in which the following information is leaked shall not be handled as a vulnerability as the information itself has been determined to not lead to an attack directly: However, this does not necessarily hold true to cases in which the specific attack method is clear. | ||
|
|
||
| * Local IP addresses in a data center | ||
| * Server banner information or information to software in use | ||
| * Unauthorized or unimplemented HTTP methods | ||
|
|
||
| ### Sending Confidential Information by E-mail | ||
| For e-mail encryption, the two points of consideration are as follows: | ||
|
|
||
| 1. Encrypting message bodies | ||
| 2 Encrypting e-mail transmission routes | ||
|
|
||
| #### Encrypting message bodies | ||
|
|
||
| Comparison of implementation cases for other cloud services and other such services reveals that encrypting message bodies of system e-mails has not been widely used. As of 2016, we have no plans for implementing this encryption. Therefore, we do not identify non-encrypted cases as vulnerabilities. | ||
|
|
||
| #### Encrypting e-mail transmission routes | ||
|
|
||
| We are considering this as a known issue and are planning to handle the issue. However, we cannot force all customers to enable encryption for communication, and such a specification change is not possible. Therefore, we do not identify the fact that transmission routes are not encrypted as a vulnerability. | ||
|
|
||
| ## References | ||
|
|
||
| * [OWASP Top 10 for 2013 A6 - Sensitive Data Exposure](http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf) | ||
| * [Disclosed Information from Error Messages](https://www.ipa.go.jp/security/awareness/vendor/programmingv1/b09_03.html) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| Tabnabbing | ||
| ==== | ||
|
|
||
| ## Vulnerability Overview | ||
| "Tabnabbing" is a phishing technique that was announced by Aza Raskin in 2010. | ||
| [http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/](http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/) | ||
|
|
||
| The Tabnabbing attack technique uses scripts to rewrite a page on an inactive tab to a malicious page (example: a fake page that looks like a real service login screen). When a user goes to the tab, the malicious page steals confidential information (example: login information). If one or both of the following conditions are met, the attack is successful. | ||
|
|
||
| - A link with the `target="_blank"` attribute specified exists in an attacked site | ||
| - The `window.open()` description exists in an attacked site | ||
|
|
||
| ## Is This Identified as a Vulnerability? | ||
| No | ||
|
|
||
| ## Reason This Is Not Identified as a Vulnerability | ||
|
|
||
| We have adopted the policy of not identifying "Tabnabbing" attacks as a vulnerability due to the following reasons: | ||
|
|
||
| - Solutions that use `rel="noopener"` and other attributes are not supported by some browsers, so not all browsers can be fully protected against the attack. | ||
| [http://caniuse.com/#feat=rel-noopener](http://caniuse.com/#feat=rel-noopener) | ||
| - Since there are a huge number of links in existing products, modifying all links would be very difficult. | ||
| - We have determined that the impact of the attack is limited and the risk is acceptable. | ||
|
|
||
| For reference, Google indicates a policy of excluding this case (phishing by navigating browser tabs) from rewards. | ||
| [https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener](https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener) | ||
|
|
||
| ## References | ||
|
|
||
| * [Tabnabbing: A New Type of Phishing Attack](http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/) | ||
| * [Phishing by navigating browser tabs(Google Bughunter University)](https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener) | ||
|
|
||
| ## Copyrights and Trademarks of Other Companies | ||
|
|
||
| All company names, system names, and product names appearing in this document are registered trademarks or trademarks of their respective holders. | ||
| Trademark symbols, '™' and '®', are not indicated in this document |
Oops, something went wrong.