Bishop Fox Security Advisory: Multiple Security Vulnerabilities Discovered in Jirafeau Version 3.3.0 

Title:

Jirafeau Version 3.30 – Multiple Vulnerabilities (Including Cross-site Scripting and Cross-site Request Forgery) 

Release Date (Vendor Patch):

May 11, 2018

Reported Date:

May 3, 2018 

Vendor:

Jirafeau

Version Affected:

3.3.0

Summary:

Jirafeau is an open source file sharing web application, distributed under an AGPL version 3 license. It is a fork of the project Jyraphe and allows users to share files for a defined period and protect downloads via a password. The project’s official website is gitlab.com/mojo42/Jirafeau. The latest version of the application is 3.3.0, released on September 8, 2017. Ten vulnerabilities were identified within the Jirafeau web application – five cross-site scripting vulnerabilities (two stored and three reflected) as well as five cross-site request forgery vulnerabilities.

Vendor Status:

The vendor has been notified and, as of May 11, the patched version 3.4.1 has been released. Please update to this version if you haven’t already. 

 

Stored Cross-site Scripting (CVE-2018-11351)

The Jirafeau web application was affected by two stored cross-site scripting (XSS) vulnerabilities that are stored within the description file of the files shared on the application. These vulnerabilities allow the execution of a JavaScript payload each time an administrator searches or lists uploaded files. The vulnerabilities could be exploited without authentication and used to target administrators and steal their sessions.

Vulnerability Details

CVE ID: CVE-2018-11351

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-79

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Two XSS vulnerabilities are located in the file upload form (/script.php) and are executed on the admin panel (/admin.php). By injecting JavaScript payloads into the file upload form, an attacker could manipulate a user’s session and gain admin access to the application. No authentication is required for exploitation. The weak parameters are Content-Type and filename.

To demonstrate the attack, the following payload could be used for the Content-Type parameter:

The following payload could be used for the filename parameter:

The request below could be used to exploit the vulnerabilities:

Reflected Cross-site Scripting (CVE-2018-11350, CVE-2018-11409, CVE-2018-13409)

The Jirafeau web application is affected by three reflected cross-site scripting (XSS) vulnerabilities that require user interaction to be executed.

Vulnerability Details

CVE ID: CVE-2018-11350, CVE-2018-11408, CVE-2018-13409

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-79

CVSS Base Score: 6.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Reflected XSS in the Search File By Name Form (Admin Panel) – CVE-2018-11350

The search file by name form is affected by one cross-site scripting vulnerability. By injecting a JavaScript payload into the search file by name form, an attacker could manipulate user sessions. The weak parameter is name. The following payload can be injected into the name parameter to trigger the vulnerability:

The request below could be used to exploit the vulnerability:

Reflected XSS in the Search File By Hash Form (Admin Panel) (CVE-2018-13409)

The search file by hash form is affected by one cross-site scripting vulnerability. By injecting a JavaScript payload into the search file by hash form, an attacker could manipulate user sessions. The weak parameter is hash. The following payload can be injected into the hash parameter to trigger the vulnerability:

The request below could be used to exploit the vulnerability:

Reflected XSS in the Search File By Link Form (Admin Panel) (CVE-2018-13408)

The search file by link form is affected by one cross-site scripting vulnerability. By injecting a JavaScript payload into the search file by link form, an attacker could manipulate user sessions. The weak parameter is link. The following payload can be used for the link parameter to trigger the vulnerability:

Cross-site Request Forgery (CVE-2018-11349 and CVE-2018-13407) 

The Jirafeau web application is affected by five cross-site request forgery (CSRF) vulnerabilities that require user interaction to be executed.

Vulnerability Details

CVE ID: CVE-2018-11349 

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-352

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CSRF on Search File functionalities (Admin Panel)

The administration panel is vulnerable to three CSRF attacks on search file functionalities. The vulnerability could be used to force a logged administrator to perform a file search. This CRSF could be used to trigger reflected XSS vulnerabilities which require to be authenticated. The reflected XSS is described in the above section of this document.

This vulnerability could be triggered by driving an administrator logged into the Jirafeau application to a specially crafted web page. The attack could be done silently.

The code snippet below permits the silent exploitation of all three CSRF vulnerabilities by driving a logged administrator to the search file page:

CSRF on Delete File functionalities (Admin Panel) (CVE-2018-13407)

The administration panel is vulnerable to two CSRF attacks that could be used to force a logged-in administrator to delete files uploaded by other users of the Jirafeau application. The vulnerabilities could be triggered by driving an administrator logged into the Jirafeau application to a specially crafted web page. This attack could be done silently.

The code snippet can be used to silently exploit both CSRF vulnerabilities by driving a logged-in administrator to use the delete file functionality:

Disclosure Timeline:

  • October 23, 2017: Initial discovery
  • April 3, 2018: Contact with vendor
  • May 3, 2018: Vendor acknowledged vulnerabilities
  • May 11, 2018: Vendor released patched version 3.4.1
  • May 28, 2018: Vulnerabilities publicly disclosed

Researcher:

Florian Nivette, Security Associate at Bishop Fox 

For Reference:

CVE-2018-11349

CVE-2018-11350

CVE-2018-11351

CVE-2018-13407

CVE-2018-11408

CVE-2018-13409