Css style

Fixed CSS injection flaw in Acronis Cloud Management Console

CSRF attacks could be unleashed to access and exfiltrate information

A security researcher has revealed a CSS injection flaw in Acronis software that could be exploited for data theft.

November 4, ‘Medi‘ (under the pseudonym ‘mr-medi’), posted a technical analysis of the vulnerability, a client-side path traversal attack they described as the “favorite bug” they had ever found.

The vulnerability existed in Acronis Cloud Management Console. The Software manages Acronis services, including cloud backups and resource monitoring.

Path crossing

According to the researcher, a web URL would automatically extract a parameter called . Then, when the request is in progress, a CSS file is also requested and loaded.

However, when this CSS file is requested, the front-end code does not sanitize the values, so it is possible for an attacker to perform path traversal by requesting the same file from a different path.

This relative path replacement isn’t inherently a significant bug unless you combine it with an open redirect, which allows attackers to issue a request and force a redirect to an external domain where a malicious CSS file is stored. .

Keep up to date with the latest web security research

Medi discovered a vulnerable API endpoint and HTTP Location header combination where the user can control the setting. This allowed the researcher to create an exploit with the Color scheme parameter and a redirect, pointing to the domain so that user information can be exfiltrated “using CSS properties”.

The information could include cross-site request forgery (CSRF), personal data, partner hashes, and other data located in the Document Object Model (DOM) where the crafted CSS file is injected.

“If we specify our CSS file in a domain hosted by us, we can perform the CSRF attack via requests by loading an external image using CSS properties such as , or exfiltrate user information such as [an] IP, referral header, or user agent,” the researcher explained. “I used my local server but you can check it in any external domain you own.”

Chain reaction

A Proof-of-Concept (PoC) attack based on the video has been published. Medi also suggested that this the technique could be chained with relative path overrides and relative path style sheet import (PRSSI) vulnerabilities.

Medi says The daily sip“Since this is a client-side attack, the main risk is [being able to] exfiltrate information found in the vulnerable page and CSRF attacks. The type of bug depends on how the JavaScript handles user input and the purpose of this setting.

“For example, in Acronis, the vulnerable page was the admin dashboard containing valuable information about their customers [and] the parameter was used to dynamically apply styles […] Other scenarios may involve leading to XSS with more serious issues like CSRF with any HTTP method.

Medi’s findings were disclosed privately via the Hacker One platform and the flaw was patched on January 13. At $250 bug bounty was awarded.

Medi has confirmed that the bug has been fixed. On HackerOne, the Acronis team compared the security flaw to a cross-site scripting (XSS) attack, which despite the possibility of user data exfiltration when the color_scheme is in use, explains the relatively low bug bounty.

The daily sip has contacted Acronis for further comment and we will update this story as we get back to you.

YOU MIGHT ALSO LIKE Gatsby fixes SSRF and XSS bugs in Cloud Image CDN