usd-2022-0033 | Seafile 9.0.6 - Open redirect

Advisory ID: usd-2022-0033
Product: Seafile
Affected Version: 9.0.6
Vulnerability Type: URL Redirection to Untrusted Site (CWE-601)
Security Risk: Medium
Vendor URL: https://seafile.com
Vendor Status: fixed
CVE number:  requested

Description

The Seafile application allows to set up a self-hosted cloud storage system. It supports common functions such as synchronization of files between server and client, as well as group sharing.
The `next` parameter in the `/accounts/login` endpoint allows an remote attacker to redirect users to arbitrary sites.

Proof of Concept

The `next` parameter in the Seafile 9.0.6 `/accounts/login` endpoint is vulnerable to Open Redirect. An example request is shown below.

$  curl -v http://localhost.localdomain/accounts/login/?next=https://usd.de

In this example, after logging in, a user would be redirected to the web page specified in the `next` parameter.

Fix

It is recommended not to use dynamic forwarding. If this is not possible, it is recommended to perform forwarding only to explicitly allowed destinations.

References

• https://owasp.org/www-community/attacks/xss/
• https://manual.seafile.com/changelog/server-changelog/#908-2022-09-07

Timeline

• 2022-07-15: First contact request via info@seafile.com
• 2022-08-02: Second contact request via info@seafile.com
• 2022-08-11: Third contact request via info@seafile.com and seafile@datamate.org
• 2022-09-02: Vendor reports vulnerability as fixed (usd-2022-0032). Second advisory still in triage(usd-2022-0033)
• 2022-10-31: Both advisories fixed in new release 9.0.7
• 2023-02-14: The advisory is published

Credits

This security vulnerability was found by Christian Pöschl of usd AG.