Tenable Research has discovered multiple vulnerabilities including cross site scripting, open redirects and drive mapping in LabKey Server Community Edition 18.2-60106.64. Labkey has released patches.
Background
LabKey Server, an open source medical data collaboration tool, is vulnerable to multiple cross site scripting (XSS) attacks. The flaws allow a remote unauthenticated attacker to run arbitrary code through their browser, create open redirects to push users to malicious URLs, and map malicious network drives after gaining administrative access.
Analysis
CVE-2019-3911: Cross Site Scripting vulnerabilities
Query functions are not validated or sanitized properly. Because this parameter is reflected in the output to the user and interpreted by the browser, a cross site scripting attack becomes possible. This allows an attacker to run arbitrary code within the context of the user’s browser. The XSS attacks are possible either authenticated or unauthenticated due to extra “__r#” paths that are available in a default installation.
CVE-2019-3912: Open Redirects
The returnUrl function is also unsanitized in a way that allows certain return paths to be edited. An attacker may utilize these to redirect users to a location controlled by the attacker themselves.
CVE-2019-3913: Logic Flaw in Network Drive Mapping Functionality
When mapping a network drive from command line, a lack of sanitation in the mount() function would allow an attacker to mount their own malicious drives to the server. Note that admin access to the web interface is required for this vulnerability.
Solution
LabKey Server version 18.3.0-61806.763, released on January 16 fixes all of these issues.
Additional information
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.