Vulnerabilities in FTAPI 4.0 – 4.11

To protect Pentest Factory’s own IT infrastrcture against attacks, internal penetration tests are an essential part of our strategy. We hereby put an additional focus on systems that process sensitive client data. In a penetration test of our file platform FTAPI, we could identify two vulnerabilities that we forwarded to the vendor for a patch. Both vulnerabilities were fixed in the subsequent FTAPI release and can not be exploited in current software versions anymore.

We thank the FTAPI team for a quick and easy disclosure, as well as remediation process.

The details of each vulnerability will be detailed in this blog article.

CVE-2021-25277: FTAPI Stored XSS (via File Upload)

The FTAPI web application is vulnerable to „Stored Cross-Site Scripting” (XSS). FTAPI offers so-called submit boxes, via which external users can submit a message, including a file attachment, without requiring a user account. We at Pentest Factory, use these submit boxes to offer our customers a secure and simple platform for submitting credentials, documentation or other sensitive files. The files are transmitted in encrypted form and are then retrieved by our penetration testers.

The file upload of the submit-box interface allows users to upload files with a malicious name. When hovering over the file name field, an alternative text element is displayed (see following screenshot), which shows the file name. This dynamically displayed element does not filter the file name for malicious characters, which creates an XSS vulnerability.

25277 1

Figure 1: Vulnerable alt-text field of the file name box

Proof-of-Concept (PoC)

When uploading a file with the following name, a JavaScript alert box is executed exemplarily to verify the vulnerability:

25277 2

Figure 2: Proof-of-Concept: malicious file name with alert() execution

For a successful upload the file must not be empty. You may create a proof-of-concept file with the following Linux command:

echo "test" >> "<iframe onload=alert('XSS')>"

The file name field is not only displayed during the upload for the file submitter himself, but also for the recipient when the submission is viewed. This allows JavaScript code to be executed on behalf of the owner of a submit box as soon as they retrieve the file. The attacker’s payload is executed as soon as the mouse touches the green file field with the malicious file name in the FTAPI web interface. Submit boxes are usually public. If the recipient’s submit box URL is known, any messages, including malicious files, can be submitted.

25277 3

Figure 3: PoC with JS-Alert-Box triggering in the inbox of an FTAPI user

CVE-2021-25278: FTAPI Stored XSS (via Submit Box Template)

Furthermore, we could identify a second Cross-site Scripting (XSS) vulnerability in the application. Administrative users are able to change the overall template of submit boxes. This includes a function for the change of background images. Uploaded images are not filtered for malicious content, which allows an attacker to upload SVG files with embeded JavaScript. This again allows the exection of JavaScript and introduces a XSS vulnerability in the application. The vulnerability can only be exploited by administrative users, which reduces the likelihood of real exploitation.

25278 1

Figure 4: Vulnerable background image upload in the layout editor for submit boxes.

Proof-of-Concept (PoC)

To exploit the vulnerability exemplarily an SVG file with the following content can be uploaded as a background image:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('Pentest Factory XSS');
   </script>
</svg>


The uploaded file is stored in the /api/2/staticfile/ directory and triggers XSS, once it is opened:


25278 2


Figure 5: Stored XSS when opening the malicious SVG file






Possible Impact


An attacker that exploits one of the Cross-site Scripting (XSS) vulnerabilities could conduct the following attacks:


    

  • Session-Hijacking with access to confidential data and identifiers.
    • 

  • Manipulation of the website (e.g., phishing)
    • 

  • Insertion of malicious contents
    • 

  • Redirection of users to malicious pages
    • 

  • Malware infection
    • 



This could lead to a loss of confidentiality, integrity and availability of the data processed by FTAPI.






Vulnerability Fix


Both vulnerabilities were fixed in the subsequent release of the vendor. We have no evidence that the vulnerabilities were actively exploited on our systems before.

More information can be found under https://docs.ftapi.com/display/RN/4.11.0.


Thank you to the FTAPI team for the quick and easy communication, as well as the remediation of the identified findings!