SyncFusion's File Explorer
During one of our web application security assessments, we noticed some odd behaviours with one of the functionalities on the application. The exact component was a file explorer for files uploaded onto the application, allowing for storing them in specific directories, renaming files, the standard sort of features you’d expect from a file explorer. After a short look at the file explorer, we identified it was using Syncfusion’s file explorer component:
If you wanted to integrate these into your environment, Syncfusion provide a variety of different “file providers” in different languages/cloud environments:
During our security assessment, we identified that they were using ASP.NET file provider and while not linked on the demo page of the component, their documentation goes into more depth about all of the different file providers available. Luckily for us, they were also open source, meaning it was pretty easy to track down what was running on our client’s production server:
CVE-2023-26563, CVE-2023-26564, CVE-2023-26565
The vulnerabilities we identified in the ASP.NET, Node and SQL server file providers aren’t particularly interesting from an exploitation view, consisting of arbitrary file reads, arbitrary file uploads and SQL injections, but do provide a substantial amount of impact for users of the file explorer. In the case of our client, we managed to access all the uploaded files consisting of a number of legal documents all of which were confidential in nature. In addition to this, as our client didn’t expect this to be vulnerable, this was deployed on another one of their web applications and as such, we were able to read data for a completely unrelated web application.
A full breakdown of the vulnerabilities is available here.
However, these CVEs are more indicative of the dangers of third party solutions, especially those which are advertised as simple drop-in services to make a fancy looking front end component functional. While third party solutions are easy to implement, depending on the company that produced them, they may not be as thoroughly assessed as your organisation’s security standards. Unfortunately, assessing every single line of code in a third party solution, library, framework, etc. is not a feasible approach for many software engineering companies and furthermore.
What's The Solution Then?
- Does the code look like it was well-designed and well-thoughtout?
- Does this look maintained?
- Is the organisation/individual behind the project reputable or well-known?
- Does the organisation/individual respond to issues, pull requests, and questions for the project?
Developing a high quality file explorer is also difficult, there’s a significant amount of logic and functionality to implement and the user expects an experience identical to the file explorer they’re used to. However, we can’t recommend Syncfusion’s current offering, especially as the fixes made by Syncfusion were ineffective and do not prevent any of the issues we informed them of.
As of right now, we recommend removing any of the affected components from your technology stack until Syncfusion can publish effective fixes.
Communication Timeline
- 24/01/2023: Initial contact with Syncfusion with brief descriptions of the vulnerabilities.
- 06/02/2023: No response, asked if there was any update available.
- 08/02/2023: Syncfusion replied saying their team would review and verify the reported problems.
- 27/02/2023: I replied with the assigned CVE numbers: CVE-2023-26563, CVE-2023-26564, CVE-2023-26565 and stated a disclosure time of 24th April 2023.
- 20/03/2023: Syncfusion replied saying fixes had been made.
- 03/04/2023: I replied stating the fixes were ineffective in preventing the patches and attached direct HTTP requests.
- 03/04/2023: Syncfusion replied saying they’d once again review the issues and address it as soon as possible.
- 12/06/2023: Blog post and GitHub repository published.
Ineffective patches:
- https://github.com/SyncfusionExamples/ej2-aspcore-file-provider/commit/0d93d4f8db00a38011d30bbdc832f27bdf56e4d8
- https://github.com/SyncfusionExamples/ej2-filemanager-node-filesystem/commit/b96d4ea24a76464f868ec67ee3f299ce0b913d50
- https://github.com/SyncfusionExamples/sql-server-database-aspcore-file-provider/commit/5f690cdeefea0229f0b85dadad3c99324dfa30a2