{"id":19470,"date":"2023-02-15T10:20:03","date_gmt":"2023-02-15T09:20:03","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19470"},"modified":"2023-02-15T10:20:06","modified_gmt":"2023-02-15T09:20:06","slug":"usd-2022-0033","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0033\/","title":{"rendered":"usd-2022-0033"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.19.5\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<h1>usd-2022-0033 | Seafile 9.0.6 - Open redirect<\/h1>\n<p><strong>Advisory ID:<\/strong> usd-2022-0033<br \/>\n<strong>Product:<\/strong> Seafile<br \/>\n<strong>Affected Version:<\/strong> 9.0.6<br \/>\n<strong>Vulnerability Type:<\/strong> <span>URL Redirection to Untrusted Site (CWE-601)<\/span><br \/>\n<strong>Security Risk:<\/strong> Medium<br \/>\n<strong>Vendor URL:<\/strong> <a>https:\/\/seafile.com<\/a><br \/>\n<strong>Vendor Status:<\/strong> fixed<br \/>\n<strong>CVE number:<\/strong><span>\u00a0 requested<\/span><\/p>\n<p><span><\/span><\/p>\n<h2>Description<\/h2>\n<p>The Seafile application allows to set up a self-hosted cloud storage system. It supports common functions such as synchronization of files between server and client, as well as group sharing.<br \/>\nThe `next` parameter in the `\/accounts\/login` endpoint allows an remote attacker to redirect users to arbitrary sites.<\/p>\n<h2>Proof of Concept<\/h2>\n<p>The `next` parameter in the Seafile 9.0.6 `\/accounts\/login` endpoint is vulnerable to Open Redirect. An example request is shown below.<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">$ <\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">curl -v http:\/\/localhost.localdomain\/accounts\/login\/?next=https:\/\/usd.de<\/span>\n<\/pre>\n<\/div>\n<p>In this example, after logging in, a user would be redirected to the web page specified in the `next` parameter.<\/p>\n<h2>Fix<\/h2>\n<p>It is recommended not to use dynamic forwarding. If this is not possible, it is recommended to perform forwarding only to explicitly allowed destinations.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a>https:\/\/owasp.org\/www-community\/attacks\/xss\/<\/a><\/li>\n<li><a href=\"https:\/\/manual.seafile.com\/changelog\/server-changelog\/#908-2022-09-07\" target=\"_blank\" rel=\"noopener\">https:\/\/manual.seafile.com\/changelog\/server-changelog\/#908-2022-09-07<\/a><\/li>\n<\/ul>\n<h2>Timeline<\/h2>\n<ul>\n<li><strong>2022-07-15:<\/strong> First contact request via <a href=\"mailto:info@seafile.com\">info@seafile.com<\/a><\/li>\n<li><strong>2022-08-02:<\/strong> Second contact request via <a href=\"mailto:info@seafile.com\">info@seafile.com<\/a><\/li>\n<li><strong>2022-08-11:<\/strong> Third contact request via info@seafile.com and <a href=\"mailto:seafile@datamate.org\">seafile@datamate.org<\/a><\/li>\n<li><strong>2022-09-02:<\/strong> Vendor reports vulnerability as fixed (usd-2022-0032). Second advisory still in triage(usd-2022-0033)<\/li>\n<li><strong>2022-10-31:<\/strong> Both advisories fixed in new release 9.0.7<\/li>\n<li><strong>2023-02-14:<\/strong> The advisory is published<\/li>\n<\/ul>\n<h2>Credits<\/h2>\n<p>This security vulnerability was found by Christian P\u00f6schl of usd AG.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2022-0033 | Seafile 9.0.6 - Open redirect Advisory ID: usd-2022-0033 Product: Seafile Affected Version: 9.0.6 Vulnerability Type: URL Redirection to Untrusted Site (CWE-601) Security Risk: Medium Vendor URL: https:\/\/seafile.com Vendor Status: fixed CVE number:\u00a0 requested Description The Seafile application allows to set up a self-hosted cloud storage system. It supports common functions such as synchronization [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-19470","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/19470","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=19470"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/19470\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=19470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}