Coordinated Disclosure Timeline
- 09/11/2020: Report sent to vendor
- 09/11/2020: Vendor acknowledges report receipt
- 12/11/2020: Asked for update. No response.
- 01/26/2021: Public issue created https://github.com/dotnet-architecture/eShopOnWeb/issues/500
Summary
eShopOnWeb is vulnerable to an Arbitrary File Overwrite, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges, per-user denial of service (DoS) and Remote Code Execution (RCE).
Product
Tested Version
Master branch.
Details
Issue 1: Arbitrary file overwrite
The Upload
action in FileController
doesn’t properly validate the FileName
in FileViewModel fileViewModel
. It is used later to build the destination path:
var fullPath = Path.Combine(Directory.GetCurrentDirectory(), @"wwwroot/images/products", fileViewModel.FileName);
This can be bypassed in multiple ways:
- By using
../
in theFileName
. - By using full path in the
FileName
.
As a result the attacker controls the file that will be ovewritten:
var fullPath = Path.Combine(Directory.GetCurrentDirectory(), @"wwwroot/images/products", fileViewModel.FileName);
if (System.IO.File.Exists(fullPath))
{
System.IO.File.Delete(fullPath);
}
System.IO.File.WriteAllBytes(fullPath, fileData);
Impact
This issue may lead to RCE as it is possible to overwrite executable files as long as the running application has sufficient privileges.
Issue 2: XSS (CVE-2018-0784)
The application doesn’t have a fix for CVE-2018-0784 that was found in ASP.NET Core templates. It is vulnerable to XSS if the logged-in user is tricked into clicking a malicious link like https://localhost:44315/manage/enable-authenticator?AuthenticatorUri=%22%3E%3C/div%3E%00%00%00%00%00%00%00%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
and enters an invalid verification code. More details are available in this blog post.
Impact
This issue may lead to the elevation of privileges.
Issue 3: CSRF (CVE-2018-0785)
The application doesn’t have a fix for CVE-2018-0785 that was found in ASP.NET Core templates. It is vulnerable to CSRF. A logged-in user with enabled Second Factor Authentication (2FA) may lose their recovery codes if they are tricked into clicking a link like https://localhost:44315/manage/Generate-Recovery-Codes
or visit a malicious site that makes the request without the user’s consent. As a result the user may be permanently locked out of their account after losing access to their 2FA device, as the initial recovery codes would no longer be valid.
Impact
This issue may lead to a per-user DoS.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2020-146
in any communication regarding this issue.