Stored XSS in FileBrowser leads to Admin account Takeover + RCE

CVE-2023-39612

Description

A Cross-Site Scripting vulnerability is discovered in FileBrowser below v2.25.0 in which an attacker with a non-admin user account inside the FileBrowser instance can create malicious HTML & JS files, craft them in a specific way, and send the HTML file’s link to the Admin to achieve Account takeover via XSS bypassing the Content-Security-Policy.

Proof-Of-Concept:

// xss.js

alert(document.cookie);

// xss.htm

<script src="/api/raw/poc/xss.js?auth=[jwt_token of the Low Privileged user]"></script>

  1. Create a folder named “poc” as the non-admin user.
  2. Create the 2 files as above (xss.htm and xss.js) under the poc folder.
  3. Craft the XSS URL as below and open it as the Admin user to verify the XSS.

http://your_filebrowser_ip:port//api/raw/poc/xss.htm?auth=[non-admin user's jwt token]&inline=true

It will trigger an alert pop-up with Admin’s Cookie.

Explanation

  • The parameter “?auth=[non-admin token]” is added in the URL so that when the Admin opens the URL it will fetch those HTML/js files that are created by the non-admin user, otherwise FileBrowser will use the Admin’s original jwt token that’s been stored as Cookie thus leading to a “404 Not Found” Error. This is because those files are created by the non-admin user, so if the API tries to fetch them with Admin’s token it will lead to an error, the API also accepts the jwt token inside a URL get parameter “?auth=”. So, the non-admin user can deliberately supply his own JWT token in the malicious URL for a successful exploitation
  • The “?inline=true” parameter is included in the crafted URL because without that parameter FileBrowser will treat the HTML file as an attachment and will download it as a file, so by having “inline=true” the HTML file will be treated as an webpage, and execute the javascript.
  • Content-Security-Policy(CSP) is bypassed because FileBrowser sets CSP “default-src” to ‘self’. As the malicious JS is also loaded from the same site, it will get executed.

Impact

This vulnerability is capable of Admin account takeover. Admin can even run system shell commands and access the filesystem, thus leading to Arbitrary Command execution.

Fix:

They fixed the vulnerability by adding a CSP that blocks any Javascript from executing on /api/raw endpoint.

https://github.com/filebrowser/filebrowser/commit/b508ac3d4f7f0f75d6b49c99bdc661a6d2173f30

Update to the latest version if you are using Filebrowser.

Filebrowser v2.25.0 is released

https://github.com/filebrowser/filebrowser/releases

Leave a comment