
A security researcher has disclosed a CSS injection flaw in Acronis software which could be abused for data theft.
The vulnerability existed in the Acronis cloud management console a client-side path traversal attack. The software manages Acronis services, including cloud backups and resource monitoring.
A web-facing URL would automatically pull a GET parameter called color_scheme. Then, when the GET request is underway, a CSS file is also requested and loaded. once this CSS file is asked for, the front-end code doesn’t sanitize the values, so it is possible for an attacker to perform a path traversal by requesting the same file from a different path.
This relative path overwrite isn’t intrinsically an important bug unless you combine it with an open redirect, which allows attackers to issue a request and force a redirect to an external domain where a malicious CSS file is stored.
Medi discovered a vulnerable API endpoint and Location HTTP header combination in which the user can control the GET parameter. This allowed the researcher to create an exploit with the color_scheme parameter and a redirect, pointing to the domain so user information could be exfiltrated “by using CSS properties”.
Information could include cross-site request forgery (CSRF) tokens, personal data, partner hashes, and other data located in the Document Object Model (DOM) where the crafted CSS file is injected.
A video-based Proof-of-Concept (PoC) attack has been published. Researchers also suggested that this technique could be chained with relative path overwrites and path-relative stylesheet import vulnerabilities.
Researchers’ findings were disclosed privately via the HackerOne platform and the flaw was patched on January 13. A $250 bug bounty was awarded. Researchers also confirmed the bug had been resolved.
This research was documented by researchers from Medi