Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

CSS injection flaw patched in Acronis cloud management console

A security researcher has disclosed a CSS injection flaw in Acronis software which could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the vulnerability, a client-side path traversal attack they described as the “favorite bug” they’ve ever found.

The vulnerability existed in the Acronis cloud management console. The software manages Acronis services, including cloud backups and resource monitoring.

Path traversal

According to the researcher, a web-facing URL would automatically pull a GET parameter called color_scheme. Then, when the GET request is underway, a CSS file is also requested and loaded.

However, when this CSS file is asked for, the front-end code doesn’t sanitize the values, so it is possible for an attacker to perform a path traversal by requesting the same file from a different path.

This relative path overwrite isn’t intrinsically an important bug unless you combine it with an open redirect, which allows attackers to issue a request and force a redirect to an external domain where a malicious CSS file is stored.

Medi discovered a vulnerable API endpoint and Location HTTP header combination in which the user can control the GET parameter. This allowed the researcher to create an exploit with the color_scheme parameter and a redirect, pointing to the domain so user information could be exfiltrated “by using CSS properties”.

Information could include cross-site request forgery (CSRF) tokens, personal data, partner hashes, and other data located in the Document Object Model (DOM) where the crafted CSS file is injected.

“If we specify our CSS file in a domain hosted by us, we can perform the CSRF attack via GET requests by loading an external image using CSS properties like background-image, or exfiltrate user information like [an] IP, Referer header or User Agent,” the researcher explained. “I used my local server but you can check it out in any external domain you own.”

Chain reaction

A video-based Proof-of-Concept (PoC) attack has been published. Medi has also suggested that this technique could be chained with relative path overwrites and path-relative stylesheet import (PRSSI) vulnerabilities.

Medi told The Daily Swig: “Since this is an attack relying on the client side, the main risk is [being able to] exfiltrate information found in the vulnerable page and CSRF attacks. The type of bug depends on how the JavaScript handles the user input and the purpose of that parameter.

“For example, in Acronis, the vulnerable page was the admin dashboard containing valuable information about their customers [and] the parameter was used to dynamically apply styles […] Other scenarios may involve leading to XSS with more serious issues like CSRF with any HTTP method.”

Medi’s findings were disclosed privately via the HackerOne platform and the flaw was patched on January 13. A $250 bug bounty was awarded.

Medi confirmed the bug had been resolved. On HackerOne, the Acronis team likened the security flaw to a reflected cross-site scripting (XSS) attack, which, despite the possibility of user data exfiltration when the color_scheme is in use, accounts for the relatively low bug bounty.

The Daily Swig has reached out to Acronis for further comment and we will update this story as and when we hear back.

Advertisement. Scroll to continue reading.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/css-injection-flaw-patched-in-acronis-cloud-management-console

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO