-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-057 Product: Cryptshare Web App Manufacturer: Cryptshare AG Affected Version(s): Prior to 5.1.0 Tested Version(s): 4.9.1.7498 Vulnerability Type: Open Redirect (CWE-601) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-10-12 Solution Date: 2021-10-28 Public Disclosure: 2021-11-12 CVE Reference: CVE-2021-42564 Author of Advisory: Fabian Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Cryptshare is a web application to securely provide files and messages. The manufacturer describes the product as follows (see [1]): "From the very beginning, we have designed Cryptshare as a secure digital transfer service." Due to insufficent input sanitization, it is vulnerable to an open redirect via HTML injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: With the appropriate license, Cryptshare allows providing users with confidential messages. These messages are secured like regular file transfers via Cryptshare. The editor for the confidential messages allows for basic text formatting like bold text. In the background, this is converted to HTML. However, this also allows an attacker to introduce own HTML tags like images which are not part of the editor. On the server side, the input is sanitized in order to prevent cross-site scripting. This input sanitazion is incomplete. An attacker could introduce an own HTML meta tag which can be used to redirect the receiving user to another page. This page then can be used for phishing attempts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A confidential message is provided via Cryptshare. The request sent by the browser to the server is intercepted and altered by editing the editor parameter of the request: POST /Upload2?1-1.0-navigationContainer-navigation-nextButton-link&csrfToken=[...] HTTP/1.1 Host: cryptshare.example.com [...] csrfToken=[...]&subject%3AtextInput=XSS&editor=&navigationContainer%3Anavigation%3AnextButton%3Alink=1 After that, the Cryptshare workflow is executed as normal. On the receiving side, the victim opens the confidential message provided. Depending on the configuration, a password is needed to retrieve the message. However, there is also an option to provide transfers without any password. Upon opening the confidential message, the victim is provided with the following payload in the HTTP response: [...]
[...] This causes the victim's browser to follow this redirection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 5.1.0 of the Cryptshare server. More information: https://documentation.cryptshare.com/w/CSSCurrent_en:Update_from_v5.0.0_to_v5.1.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-08: Vulnerability discovered 2021-10-12: Vulnerability reported to manufacturer 2021-10-28: Patch released by manufacturer 2021-11-12: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Cryptshare https://www.cryptshare.com/en-us/why-cryptshare/#c34912 [2] SySS Security Advisory SYSS-2021-057 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-057.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Fabian Krone of SySS GmbH. E-Mail: fabian.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECt7Sqq4nfdqo8MBRv98wq9EOoPQFAmGKaCoACgkQv98wq9EO oPQyBw//ZGp60JreMiL62KsQ5OXoaEYtZdwtB+slEClabmOAlog9/pgc8pwnKTh1 ds9ABMbcsoy0O2iplRiff/PS1CBCyqF2BSBXtEhCU4n0tOqhWH2C4gOpkfJ+0/uG i9RwPM1O3xxoRMpHeNiYJ43/GdyJ2kOC9jo8rHJAqIPtcU7kwohX2GN+UMcZK2jW mDidHM0QaHXKXIDRb67B8ii+ANv1XuVF/40PWUt1OmOsPje7vzxqlqzsQJhtoNiI sIgjo8i8JPoBgD2i7pmX7kCkWgG9vas08f/E7Lj0VimvEq0bSWLyA4HTvYPwscLK P/DM0zebKsoZi3SWtQaAT0s/cv2IOqAkWuFqAG8edfRA+RpsOinjyuD7iQjk2CQR jNjeZo1OjcWmx3s1NjUpOmV8whWxN5VtL6jhFUQnNBR27P+oDHzuw8Cgm9hTeH0q OLd6gG6YNd8yoIjPpT54/bef5wFXmD1h7LjfNrmhBUDsxDX2dXX+eQH/SBGFbUKU zK6HdgCl7So3rWVwnh/ye7v3NwA1UDZEt7WUr5f7wh7IKrc+0Kh1rEY5DnyS9BKp DPJizvsRrW45HZIZJnN3CGBWdDK4fdZbNKldKlStV1yDqHh5bYat3T6zzEN8WfxY A4WTELRZdK4tNXbenQrH/wGr1OAL3KzqAVga5InGsLLShaIHN38= =BKRe -----END PGP SIGNATURE-----