To protect Pentest Factory’s own IT infrastrcture against attacks, internal penetration tests are an essential part of our strategy. We hereby put an additional focus on systems that process sensitive client data. In a penetration test of our file platform FTAPI, we could identify two vulnerabilities that we forwarded to the vendor for a patch. Both vulnerabilities were fixed in the subsequent FTAPI release and can not be exploited in current software versions anymore.
We thank the FTAPI team for a quick and easy disclosure, as well as remediation process.
The details of each vulnerability will be detailed in this blog article.
CVE-2021-25277: FTAPI Stored XSS (via File Upload)
The FTAPI web application is vulnerable to „Stored Cross-Site Scripting” (XSS). FTAPI offers so-called submit boxes, via which external users can submit a message, including a file attachment, without requiring a user account. We at Pentest Factory, use these submit boxes to offer our customers a secure and simple platform for submitting credentials, documentation or other sensitive files. The files are transmitted in encrypted form and are then retrieved by our penetration testers.
The file upload of the submit-box interface allows users to upload files with a malicious name. When hovering over the file name field, an alternative text element is displayed (see following screenshot), which shows the file name. This dynamically displayed element does not filter the file name for malicious characters, which creates an XSS vulnerability.
Figure 1: Vulnerable alt-text field of the file name box
Figure 2: Proof-of-Concept: malicious file name with alert() execution
For a successful upload the file must not be empty. You may create a proof-of-concept file with the following Linux command:
echo "test" >> "<iframe onload=alert('XSS')>"
Figure 3: PoC with JS-Alert-Box triggering in the inbox of an FTAPI user
CVE-2021-25278: FTAPI Stored XSS (via Submit Box Template)
Figure 4: Vulnerable background image upload in the layout editor for submit boxes.
To exploit the vulnerability exemplarily an SVG file with the following content can be uploaded as a background image:
The uploaded file is stored in the /api/2/staticfile/ directory and triggers XSS, once it is opened:
Figure 5: Stored XSS when opening the malicious SVG file
An attacker that exploits one of the Cross-site Scripting (XSS) vulnerabilities could conduct the following attacks:
- Session-Hijacking with access to confidential data and identifiers.
- Manipulation of the website (e.g., phishing)
- Insertion of malicious contents
- Redirection of users to malicious pages
- Malware infection
This could lead to a loss of confidentiality, integrity and availability of the data processed by FTAPI.
Both vulnerabilities were fixed in the subsequent release of the vendor. We have no evidence that the vulnerabilities were actively exploited on our systems before.
More information can be found under https://docs.ftapi.com/display/RN/4.11.0.
Thank you to the FTAPI team for the quick and easy communication, as well as the remediation of the identified findings!