December 6, 2023

A security researcher has disclosed a CSS injection flaw in Acronis software which could be abused for data theft.

The vulnerability existed in the Acronis cloud management console a client-side path traversal attack. The software manages Acronis services, including cloud backups and resource monitoring.

A web-facing URL would automatically pull a GET parameter called color_scheme. Then, when the GET request is underway, a CSS file is also requested and loaded. once this CSS file is asked for, the front-end code doesn’t sanitize the values, so it is possible for an attacker to perform a path traversal by requesting the same file from a different path.

This relative path overwrite isn’t intrinsically an important bug unless you combine it with an open redirect, which allows attackers to issue a request and force a redirect to an external domain where a malicious CSS file is stored.

Advertisements

Medi discovered a vulnerable API endpoint and Location HTTP header combination in which the user can control the GET parameter. This allowed the researcher to create an exploit with the color_scheme parameter and a redirect, pointing to the domain so user information could be exfiltrated “by using CSS properties”.

Information could include cross-site request forgery (CSRF) tokens, personal data, partner hashes, and other data located in the Document Object Model (DOM) where the crafted CSS file is injected.

A video-based Proof-of-Concept (PoC) attack has been published. Researchers also suggested that this technique could be chained with relative path overwrites and path-relative stylesheet import vulnerabilities.

Researchers’ findings were disclosed privately via the HackerOne platform and the flaw was patched on January 13. A $250 bug bounty was awarded. Researchers also confirmed the bug had been resolved.

This research was documented by researchers from Medi

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d