usd-2022-0010 | Broken Access Control in Filerun (Update 20220202)
Advisory ID: usd-2022-0010
Affected Version: <= Update 20220202
Vulnerability Type: https://cwe.mitre.org/data/definitions/284.html
Security Risk: Medium
Vendor URL: https://filerun.com
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
Filerun allows users to place comments on their uploaded files. Due to improper access control comments on files can be deleted by any user.
Proof of Concept
In the following, an exemplary request to delete a comment is given:
POST /?module=comments§ion=ajax&page=remove HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 115 Cookie: FileRunSID=[REDACTED] [...]
By setting the parameter commentId a user can delete any comment, even if it is not owned by the user.
It is recommended to restrict access to sensitive functions or information by default. Required access privileges should be granted explicitly by a global access control mechanism. Only allow required users to remove comments (e.g. file owner, shared users).
- 2022-04-22: Vulnerability identified by Christian Pöschl
- 2022-04-25: First contact request via firstname.lastname@example.org
- 2022-04-29: Vulnerability details submitted to Vendor
- 2022-05-10: Fixed by Vendor
- 2022-10-31: This advisory is published
This security vulnerability was found by Christian Pöschl of usd AG.