[FD] WiFi Drive CR v1.0 iOS - Persistent Filename Dir List Vulnerability
Document Title: =============== WiFi Drive CR v1.0 iOS - Persistent Filename Dir List Vulnerability References (Source): ==================== http://ift.tt/1VaphkT Release Date: ============= 2015-09-23 Vulnerability Laboratory ID (VL-ID): ==================================== 1595 Common Vulnerability Scoring System: ==================================== 3.8 Product & Service Introduction: =============================== Files can be uploaded with any browser. Start the WiFi Drive web server from application and connect to it using any browser. Use the iPod/iPhone`s/iPad`s available disk space to carry any files. Use your iPhone as a normal shared network drive! (Copy of the Homepage: http://ift.tt/1KzMM0J ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered an application-side exception web vulnerability in the official WiFi Drive + CR v1.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-09-23: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== DONG JOO CHO Product: WiFi Drive + CR - Mobile WiFi (Web-Application) 1.0 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official WiFi Drive + CR v1.0 iOS mobile web-application. The vulnerability allows remote attacker to inject malicious persistent script codes to the application-side of the mobile application. The vulnerability is located in the filename value of the upload files module POST method request. Remote attackers can manipulate the filename validation in the POST method request to trick the application in an execution of script codes via index - exception-handling. After processing to inject the exception of the file validation occurs and redisplays the injected context. Thus results in a final application-side post inject vulnerability. The attack vector of the issue is located on the application-side and the request method to inject the payload is POST. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the application-side web vulnerability requires no privilege web-application user account and only low or medium user interaction. Successful exploitation of the vulnerabilities results in persistent phishing, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] Upload Files Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index - Exception handling (File Validation > Upload) Proof of Concept (PoC): ======================= The remote vulnerability can be exploited by remote attackers without privilege web-application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: localhost (Index)
WiFi Drive
Drag & drop files on this window or use the "Upload Files…" button to upload new files.
Internal Server Error: Failed uploading "[PERSISTENT SCRIPT CODE INJECT VULNERABILITY!]2.png" to "null"
Internal Server Error: Failed uploading "3.png" to "null"
Internal Server Error: Failed uploading "4.png" to "null"
No comments:
Post a Comment