-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-021 Product: HTTP Commander Manufacturer: Element-IT Software Affected Version(s): < 5.3.3.2020.11.16 Tested Version(s): 5.3.3.2020.11.16 Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2021-05-05 Solution Date: 2021-05-13 Public Disclosure: 2021-07-14 CVE Reference: CVE-2021-33211 Author of Advisory: Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: HTTP Commander is a web-based file manager. The manufacturer describes the product as follows (see [1]): "This software is intended for fast and easy integration of web site functionality with sharing and management of files and documents on a Windows server through a web browser over net. It's a web server-based file sharing and management solution – the best alternative to FTP, WebDav, Sharepoint, etc." Due to the missing validation of the folder structure in ZIP archives, it is vulnerable to path traversal resulting in arbitrary file upload. Every user can therefore write files to any location of the system on which the web user has write access to. This attack is also known as "Zip Slip". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The HTTP Commander allows users to upload ZIP archives to a folder. To extract the archive, the context menu offers the function "Unpack ZIP" - --> "to the current folder". The user needs write permissions on this folder and the right to unpack ZIP archives. ZIP archives can include a folder structure, including relative paths. Using a software respecting the folder structure of the archive, an arbitrary file can be extracted to an arbitrary location on the system where the service user of the web server has write permissions. Extracting ZIP archives with HTTP Commander is respecting the folder structure and therefore writes data to arbitrary folders on the system where the web server user has write permission. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Create a ZIP archive including relative paths. On a Linux system, the following command can be used to create such a ZIP archive. $ zip -y malicious.zip ../webshell.ashx Upload the file and unzip it to the current folder. The file webshell.ashx in the archive is then written to the file system respecting the relative paths. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 5.3.5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-04-07: Vulnerability discovered 2021-05-05: Vulnerability reported to manufacturer 2021-05-13: Patch released by manufacturer 2021-07-14: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for HTTP Commander https://www.element-it.com/asp-net-explorer-browser/online-share/web-file-manager.aspx [2] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmDtU7EACgkQq/DPL00C IPn8Cw//SEytMr+Y+oc5cwtPVtlkxsTjsw+jSmV0Ljo956N3SalVibpm5upHN7y4 Ev86AqihBNeD+wcQRPqzxG/FbB6dWpaGzAK4cObjiKMLEnRQ+xpDI9CM8+BTtLwa WaigWaTRNepv27xbKsEtCT0mBUYDj8iB+4pxhCYStpH7wMMmd+eSeQ1nu4t8zprI Dy20IhiX1CztzMIFN0cmZ76r+KzoaWMdHo4mLt2gtRgdr79BfyvggZw9SMuapoex o2BKkzMTLEk1+OgOmLrZ+lBUaQe9WzwP1kNVh1JkU5NeWpZ0pLL8D4YOrSmulY/9 Fb+IY07lOwv12TSBGPIDne31bTmxWojSHybXGG6AZxfQRorHaJXaUkFJh2FOPDoY OkmQlTfqJZVVGmJEqOd+SNr7wamv56rdRoOxHF8efraZ9FzmaRWz+OQhzKGMCja+ 4e+g1AoENGpjDQI0F7VG8zNhIadnfzVtTNoLlKdzHVV+FC26bkVTkbj2rRN32juH Yb02zM7nfHLctqXwuJ0N+BBOPmn/Joh/ZB36KT86yMa5XrDbQTir3WqpGi3OL85Q p+/LTJzaXlnesD31GiX4Yy8jsg53jEQL5oWcoQJpXYtAwLdYxwwlcNzB8Y0fqj5v xXmHmjRT9clzHwVTRuHCO5aNxQBUx7YISpGmOiPyaisqzFjG2KU= =UU25 -----END PGP SIGNATURE-----