Arbitrary File Upload and XXE Processing Vulnerabilities in Flow

It has been discovered that Flow allows arbitrary file uploads, posing the risk of attacks. Also a case of potential XML External Entity processing was discovered.

– Written by

Component Type: Flow
Vulnerability Type: Arbitrary file upload
Severity: Medium
Affected Versions: 3.0.0 (Arbitrary file upload and XXE) and 2.3.0 to 2.3.6 (only XXE)
Release Date: November 23rd, 2015
Suggested CVSS v2.0(AV:N/AC:L/Au:S/C:P/I:P/A:N/E:ND/RL:OF/RC:C)
CVE: not assigned

Problem Description

It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …).

Note: The upload of files is only possible if the application built on Flow provides means to do so, and whether or not the upload of files poses a risk is dependent on the system setup. If uploaded script files are not executed by the server, there is no risk. In versions prior to 3.0.0 the upload of files with the extension php was blocked.

In Flow 2.3.0 to 2.3.6 a potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.

Solution

Update to Flow version 2.3.8 (fixes the XXE issue) or Flow version 3.0.2 (fixes both problems).

Flow 3.0.2 provides a blacklist for file extensions that may be uploaded and/or published. The default blacklist contains a number of file extensions used by popular scripting languages. In both Flow releases the execution of server-side scripts in the public resources folder is disabled by default on Apache. The manual has been amended with a note on securing the setup.

The processing of external entities when loading XML in the MediaTypeConverter was disabled in both Flow releases.

The releases 2.3.7 and 3.0.1 originally fixed the issues, but contained minor regressions that have been discovered and fixed quickly.

Credits

Thanks to Mickael Dorigny (Synetis) who discovered the file upload issue and to Wouter Wolters for reporting the XXE problem. Thanks to Flownative and networkteam for sponsoring the fixes. Thanks to the Neos security team members for reviewing the fixes.