usd-2022-0033 | Seafile 9.0.6 - Open redirect

Advisory ID: usd-2022-0033
Product: Seafile
Affected Version: 9.0.6
Vulnerability Type: URL Redirection to Untrusted Site (CWE-601)
Security Risk: Medium
Vendor URL: https://seafile.com
Vendor Status: fixed
CVE number:  requested

Description

The Seafile application allows to set up a self-hosted cloud storage system. It supports common functions such as synchronization of files between server and client, as well as group sharing.
The `next` parameter in the `/accounts/login` endpoint allows an remote attacker to redirect users to arbitrary sites.

Proof of Concept

The `next` parameter in the Seafile 9.0.6 `/accounts/login` endpoint is vulnerable to Open Redirect. An example request is shown below.

$  curl -v http://localhost.localdomain/accounts/login/?next=https://usd.de

In this example, after logging in, a user would be redirected to the web page specified in the `next` parameter.

Fix

It is recommended not to use dynamic forwarding. If this is not possible, it is recommended to perform forwarding only to explicitly allowed destinations.

References

Timeline

  • 2022-07-15: First contact request via info@seafile.com
  • 2022-08-02: Second contact request via info@seafile.com
  • 2022-08-11: Third contact request via info@seafile.com and seafile@datamate.org
  • 2022-09-02: Vendor reports vulnerability as fixed (usd-2022-0032). Second advisory still in triage(usd-2022-0033)
  • 2022-10-31: Both advisories fixed in new release 9.0.7
  • 2023-02-14: The advisory is published

Credits

This security vulnerability was found by Christian Pöschl of usd AG.