Title: TeamPage 6.2.33

Traction® TeamPage 6.2.33 is focused on a small number security-related changes. This update includes security improvements and bug fixes relating to: cross-site scripting and forgery attacks; open redirection; password change requests; and web socket validation. All customers should consider upgrading to this new version as soon as possible in order to ensure that your TeamPage server includes all current security updates. Cloud hosted TeamPage servers have already been updated with the exception of two instances for customers who requested a later update.

Download TeamPage 6.2.33




Security-Related Changes



Permissions



• Fixed a bug related to determining the requesting user's permission with respect to certain file resources. An attacker could exploit this bug by using a specially crafted URLs to download certain types of files. (Internal12423)

Cross-Site Scripting Attacks



• Fixed two bugs related to a failure to sanitize or otherwise properly handle certain incoming URL parameters or form field values. These bugs could be exploited to implement Cross-site scripting attacks, which would allow script of an attacker's choice to be run by a user's browser in the context of certain pages if the user opened the link. (Internal12422 / Internal12435)

• Fixed a bug related to failure to sanitize and validate certain URL parameter or form field values related to tracking where the user should be sent when exiting certain pages. This bug could be exploited to implement cross-site scripting attacks, which would allow script of an attacker's choice to be run by a user's browser in the context of certain pages when the user clicked the "Exit" or "Cancel" button on a setup page. (Server91382)

Other Scripting Attacks



• Fixed a bug that could allow a user to insert arbitrary JavaScript into the content of an entry using attributes of a certain tag. This issue could be exploited to implement an attack, which would allow an attacker to have users' browsers execute scripts of their choice in the context of a TeamPage page when users would view an entry. (Server91393)

Cross-Site Request Forgery Attacks



• Made some minor improvements to TeamPage's defenses against Cross-site request forgery attacks. (Internal12459)

• Modified the way that TeamPage creates certain HTTP cookies to prevent unauthorized access by any client-side scripts that a browser might mistakenly allow to execute in the context of a TeamPage website. (Internal12430)

• Added defenses against Cross-site request forgery attacks to certain entry points that provide support for file manipulation operations. Previously, an attacker could embed a form in a web page which, if triggered by an authenticated user, could perform certain file operations of the attacker's choosing. (Internal12424 / Internal12511)

Open Redirection



• Fixed a bug related to failure to sanitize and validate certain URL parameter or form field values related to tracking where the user should be sent when exiting certain pages. This bug could be exploited by an attacker to send a user who clicked an "Exit" or "Cancel" button in certain pages (e.g., Setup pages) to redirect the user to a website of the attacker's choosing. (Server91382)

Password Change Requests



• Changed the way that TeamPage enforces the policy on whether password changes are enabled so that if a password change was requested while the feature was enabled, but used after an administrator shut it off, the password change will be disallowed. (Internal12481)

• Modified the way that password change requests work to protected against Cross-site request forgery attacks. (Internal12481)

• Added a setting to allow an administrator to elect to have a TeamPage server respond to all password change requests using the same generic message of acknowledgement. The password change request form appears in TeamPage's login form unless a server administrator has disabled the feature (or unless outgoing email is disabled). By default, when a user enters a user name or email address, TeamPage will respond with a message indicating confirmation of a successful or failed attempt to find the associated active user account, and will indicate the reason for any failure. If you're concerned about the ability of people reaching the password change request form to probe your TeamPage server for the existence of user accounts or registered email addresses, you may wish to use this new setting to have TeamPage always respond to password change requests with the same generic message, regardless of success or failure. (Internal12425)

Websockets



• Changed the way that TeamPage validates incoming websocket handshake requests to ensure that this kind of connection can't be initiated by unauthorized websites. (Internal12501)



Attachments:
teampage_logo.jpg
Article: Customer5135 (permalink)
Categories: :Doc:changelog, :Doc:r62
Date: February 18, 2019; 10:29:05 PM Eastern Standard Time

Author Name: Dave Shepperton
Author ID: shep