usd-2022-0033 | Seafile 9.0.6 - Open redirect
Advisory ID: usd-2022-0033
Affected Version: 9.0.6
Vulnerability Type: URL Redirection to Untrusted Site (CWE-601)
Security Risk: Medium
Vendor URL: https://seafile.com
Vendor Status: fixed
CVE number: requested
The Seafile application allows to set up a self-hosted cloud storage system. It supports common functions such as synchronization of files between server and client, as well as group sharing.
The `next` parameter in the `/accounts/login` endpoint allows an remote attacker to redirect users to arbitrary sites.
Proof of Concept
The `next` parameter in the Seafile 9.0.6 `/accounts/login` endpoint is vulnerable to Open Redirect. An example request is shown below.
$ curl -v http://localhost.localdomain/accounts/login/?next=https://usd.de
In this example, after logging in, a user would be redirected to the web page specified in the `next` parameter.
It is recommended not to use dynamic forwarding. If this is not possible, it is recommended to perform forwarding only to explicitly allowed destinations.
- 2022-07-15: First contact request via firstname.lastname@example.org
- 2022-08-02: Second contact request via email@example.com
- 2022-08-11: Third contact request via firstname.lastname@example.org and email@example.com
- 2022-09-02: Vendor reports vulnerability as fixed (usd-2022-0032). Second advisory still in triage(usd-2022-0033)
- 2022-10-31: Both advisories fixed in new release 9.0.7
- 2023-02-14: The advisory is published
This security vulnerability was found by Christian Pöschl of usd AG.