-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-057 Product: Cryptshare Web App Manufacturer: Cryptshare AG Affected Version(s): Prior to 5.1.0 Tested Version(s): 4.9.1.7498 Vulnerability Type: Open Redirect (CWE-601) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-10-12 Solution Date: 2021-10-28 Public Disclosure: 2021-11-12 CVE Reference: CVE-2021-42564 Author of Advisory: Luna Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Cryptshare is a web application to securely provide files and messages. The manufacturer describes the product as follows (see [1]): "From the very beginning, we have designed Cryptshare as a secure digital transfer service." Due to insufficent input sanitization, it is vulnerable to an open redirect via HTML injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: With the appropriate license, Cryptshare allows providing users with confidential messages. These messages are secured like regular file transfers via Cryptshare. The editor for the confidential messages allows for basic text formatting like bold text. In the background, this is converted to HTML. However, this also allows an attacker to introduce own HTML tags like images which are not part of the editor. On the server side, the input is sanitized in order to prevent cross-site scripting. This input sanitazion is incomplete. An attacker could introduce an own HTML meta tag which can be used to redirect the receiving user to another page. This page then can be used for phishing attempts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A confidential message is provided via Cryptshare. The request sent by the browser to the server is intercepted and altered by editing the editor parameter of the request: POST /Upload2?1-1.0-navigationContainer-navigation-nextButton-link&csrfToken=[...] HTTP/1.1 Host: cryptshare.example.com [...] csrfToken=[...]&subject%3AtextInput=XSS&editor=&navigationContainer%3Anavigation%3AnextButton%3Alink=1 After that, the Cryptshare workflow is executed as normal. On the receiving side, the victim opens the confidential message provided. Depending on the configuration, a password is needed to retrieve the message. However, there is also an option to provide transfers without any password. Upon opening the confidential message, the victim is provided with the following payload in the HTTP response: [...]
[...] This causes the victim's browser to follow this redirection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to version 5.1.0 of the Cryptshare server. More information: https://documentation.cryptshare.com/w/CSSCurrent_en:Update_from_v5.0.0_to_v5.1.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-08: Vulnerability discovered 2021-10-12: Vulnerability reported to manufacturer 2021-10-28: Patch released by manufacturer 2021-11-12: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Cryptshare https://www.cryptshare.com/en-us/why-cryptshare/#c34912 [2] SySS Security Advisory SYSS-2021-057 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-057.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Luna Krone of SySS GmbH. E-Mail: luna.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Luna_Krone.asc Key ID: 0x31764595D77A53F2 Key Fingerprint: C7AF 1259 B763 D588 E8D2 B302 3176 4595 D77A 53F2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEx68SWbdj1Yjo0rMCMXZFldd6U/IFAmeXklkACgkQMXZFldd6 U/IBxhAAlJpTQbEmkB4JSvht10IRgzVVgBujKIMyQi3IycVN1EUbK8PvtqReCk3h 2gI0LIw/o7LgengGe4X+paI4EBc662DNNedBQco4zQ3Tym/T3xNDBPtnDiU0gbtL 8EZ+EG2c/G3KJUv9ZKGEGmwNh3Z0bpc9/tYMKxL5AenWZfjoMfGDPJ1UvjIq6VSS dKJQ/mkGvQ+PIJdt6uC7mvNa/KC2o9quZDtiiKLKyswpyZRUbdLURwzUlGPjhjp+ qf3XwegWsYZUAnUeQ2lOy63Wq6zJGPW4CXqJugTrXJ4cD6NzR8sgWkCeOF4HH5K+ +7SuZt7r4OoOVgiuNx3gfef/ng5FH+tjKmcdOmY/WXd2v7VDNnQnJEoGInyvb6iG /xNBv1HAQTgH0m/216o3eygxUIuHRB/gQE4mr7oE0pD10kFtxQwYmJqjBx9YyjIS 81GC3zIkOH+3RBQ/3DJmiRVJreTcVRgRRQK+pydedQMRk+w56KYUMrgzuCWvMs27 Hlt4CPSJ7VDeCqtni4D9Q2xIQVsligWZEwB2zgrXuCkq76n+013ZDFtkQam8CLD7 6Nq3+9OSfTsMECXJ811E1wLgaApLsVjMfLt5ZZhPUaLw/2GXDwFMm1Fy3GLSsPiY sroiqmOZbbu8gxJpW/l60s32O890CKx+Z/Rt/XSjc6ctVqNvf4U= =xzjK -----END PGP SIGNATURE-----