-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential XSS in FileBrowser leads to Admin account takeover in Filebrowser #2570
Comments
Huh, shouldn't this be reported in private ? |
I am sorry and I had no other way to report this privately. |
I was able to reproduce and fix it, will submit an MR for the fix ASAP. |
That's appreciated. Thanks. |
(cherry picked from commit b508ac3)
(cherry picked from commit b508ac3)
Description
A Cross-Site Scripting vulnerability is discovered in FileBrowser in which an attacker with a non-admin user account inside the FileBrowser instance can create malicious HTML & JS files, craft them in a specific way and send the HTML file's link to the Admin to achieve Account takeover via XSS bypassing the Content-Security-Policy.
Proof of Concept
// xss.js
// xss.htm
It will trigger an alert pop-up with Admin's Cookie.
Explanation
The parameter "?auth=[non-admin token]" is added in the URL so that when the Admin opens the URL it will fetch those html/js files that are created by the non-admin user, otherwise FileBrowser will use the Admin's original jwt token that's been stored as Cookie thus leading to a "404 Not Found" Error. This is because those files are created by the non-admin user, so if the API tries to fetch them with Admin's token it will lead to an error, the API also accepts the jwt token inside a URL get parameter "?auth=". So, the non-admin user can deliberately supply his own JWT token in the malicious URL for a successful exploitation
The "?inline=true" parameter is included in the crafted URL because without that parameter FileBrowser will treat the HTML file as an attachment and will download it as a file, so by having "inline=true" the HTML file will be treated as a webpage, and execute the javascript.
Content-Security-Policy(CSP) is bypassed because of the fact that FileBrowser sets CSP "default-src" to 'self'. As the malicious JS is also loaded from the same site, it will get executed.
Impact
This vulnerability is capable of Admin account takeover. Admin can even run system shell commands and access filesystem, thus leads to Arbitrary Command execution.
The text was updated successfully, but these errors were encountered: