Skip to content

Latest commit

 

History

History
53 lines (39 loc) · 2.37 KB

README.md

File metadata and controls

53 lines (39 loc) · 2.37 KB

Local Web UI Vulnerabilities

In 2016 and 2017 I spent a bit of time looking for security bugs in the apps I use that have web UIs. That is, the application includes a web server and the user controls the app through their browser.

There are a lot of good reasons to provide a web UI, and I think they tend to be more pleasant to write, but they're usually harder to secure than native UIs are.

Some of these vulnerabilities are a little interesting, but I think the more interesting thing was that I found vulnerabilities in three of the four apps I investigated. (The fourth was SABNZBd.)

Also, all of the vulnerabilities I found could be used to remotely execute arbitrary code on the user's system under some conditions. Though that might have more to do with the type of applications I looked into, since they happened to be somewhat related.

Most of the vulnerabilities share similarities as well. They mostly allow some form of CSRF that can change the app's configuration.

I didn't look for bugs in any of the Electron apps I use, but apparently they can also suffer from some of the kinds of vulnerabilities commonly found in web apps. See Modern Alchemy: Turning XSS into RCE and CVE-2018-1000136 - Electron nodeIntegration Bypass.

I should also mention that all of the developers I reported these vulnerabilities to were very responsive and got fixes out to their users quickly.

Deluge

A CSRF bug (CVE-2017-7178) and a path traversal bug (CVE-2017-9031) in the Deluge BitTorrent client, version 1.3.13.

Sonarr

A CSRF bug and an authentication bypass bug in version 2.0.0.5054 of Sonarr, a PVR application.

Plex Media Server

A CSRF bug in Plex Media Server v1.0.3, a personal media library application. First discovered by Stefan Viehböck of SEC Consult Vulnerability Lab in v0.9.9.10.