-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-020 
Product:                   HTTP Commander
Manufacturer:              Element-IT Software
Affected Version(s):       < 5.3.3.2020.11.16
Tested Version(s):         5.3.3.2020.11.16
Vulnerability Type:        Cross-Site Scripting (CWE-79) 
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2021-05-05
Solution Date:             2021-05-13
Public Disclosure:         2021-07-14
CVE Reference:             CVE-2021-33212
Author of Advisory:        Tobias Jäger, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

HTTP Commander is a web-based file manager.

The manufacturer describes the product as follows (see [1]):

"This software is intended for fast and easy integration of web site 
functionality with sharing and management of files and documents on a 
Windows server through a web browser over net. It's a web server-based 
file sharing and management solution – the best alternative to FTP, 
WebDav, Sharepoint, etc."

Due to the missing validation of SVG files, it is vulnerable to 
persistent cross-site scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SVG images are vector graphics storing the information in 
XML format. In these files, JavaScript code can be included. Opening such 
a file in the browser will execute the JavaScript code in the context of 
the victim. Therefore, the product is vulnerable to persistent cross-site 
scripting.

The HTTP Commander allows users to upload arbitrary SVG graphics to a 
folder. The user needs write permissions on this folder. 
These graphics are handled like all pictures, therefore the option 
"View/Edit" --> "View in Browser" is available. Viewing the graphic in 
the browser executes the included JavaScript code.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):
Upload the following SVG graphic to an arbitrary folder.

<?xml version="1.0" encoding="utf-8"?>
<svg version="1.1" id="Ebene_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
	viewBox="411 232 138.6 95" 
	width="139"
    height="95" 
    enable-background="new 411 232 138.6 95" xml:space="preserve">
     <script>alert("SySS XSS POC")</script>
</svg>

Mark the file and open it in the browser using the "View in Browser" 
function. The JavaScript code will be executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to version 5.3.5. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-04-07: Vulnerability discovered
2021-05-05: Vulnerability reported to manufacturer
2021-05-13: Patch released by manufacturer
2021-07-14: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for HTTP Commander
    https://www.element-it.com/asp-net-explorer-browser/online-share/web-file-manager.aspx
[2] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Tobias Jäger of SySS GmbH.

E-Mail: tobias.jaeger@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc
Key ID: 0xABF0CF2F4D0220F9
Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmDtU8YACgkQq/DPL00C
IPlHPw/8DrcQ9VWRFauTKRg0sjFubDYHLdYoqG8OJ/7f74Zc5EBHW1OxwwgXOgp9
cilNTgS12Nzj4JGLmV5lu1MQywe5kfAG8Bsg14hQzDMtDpgGTYs5Zm5Aykm0aA88
qoc56T9ZXhgQcZRfYZM6lkuO6IIQrh/gk/wNDdO4256TgonRWXk1cRxjWGu66kP+
oQKh5BTndZgEesUlRKWfId1Y8sjpHtdalRADRySY2cy66q86th4cbaSbC0XM/ys/
hBxca0bVHfZNt51fdA05crewKTLLBPYDcZgSIVw5nRzpQqdslSSjqq5ByZcNJXvP
IgveApdHdaSrYoAffF+OQMj1un5WJHgmxIQHzNVFxIyhQiQrze9QNU4SivaOyM4X
eeWjlFlVITBjSLWFMFuabTQzSFGHZtOIAxzDyfkx5jx1NLaOBLN+5yZsoj/RhB9X
k9/soeaFIZ74TR1LD4WBqt+3+SK2tqT/Qg15ghQ0kqtfI9h+5KtGIAbR0qgK50Ay
ZZW6cv5idqYJTch5rAgOfciyAE2nNKx+xGdx46RUBDcK+1u7d5AAifkBJkNbmZBB
XBzLLmHA8gmM9ZVuWmLXm3Fi8stKHXTr4Vw0+d4+Iqg3FqqCk85r0TX2JLBjyDrw
f7pUncc539ugTnG68+7NZWBRvVa+iyochdLHWlSsZLeL6cNsFOg=
=hXpd
-----END PGP SIGNATURE-----