Document Title: =============== Air Share v1.2 iOS - Multiple Cross Site Web Vulnerabilities Date: ===== 2020-04-22 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2204 VL-ID: ===== 2204 Common Vulnerability Scoring System: ==================================== 4.4 Vulnerability Class: ==================== Multiple Introduction: ============= Air Share Transfer Music, Videos, Documents, Photos or Any Files from PC / Mac to your iPhone / iPad by just Drag & Drop. File types supported by Air Share to preview or to play. You can even use Air Share as a wireless USB drive to carry any file type without any problem. (Copy of the Homepage: https://apps.apple.com/de/app/air-share-wifi-file-transfer/id1126257410 ) Abstract: ========= The vulnerability laboratory core research team discovered multiple cross site web vulnerabilities in the official Air Share v1.2 mobile ios web-application. Affected Product(s): ==================== Dropouts Technologies LLP Product: Air Share v1.2 (iOS) Mobile Application (+Lite Version) Report-Timeline: ================ 2020-04-22: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple cross site and validation web vulnerabilities has been discovered in the official Air Share v1.2 mobile ios web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent and non-persistent attack vector to compromise client- and application-side requests of the mobile ios application. 1.1 The first vulnerability is located in the `path` parameter of the `list` and `download` exception-handling. Remote attackers are able to inject own malicious script code to the path parameter to manipulate the error message output context of the air share ui. The request method to inject is GET and the attack vector is located on the client-side of the mobile ios web-application. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. 1.2 The second web vulnerability is located in the `devicename` parameter that is displayed on the top next to the Air Share index list. Remote attackers are able to inject own malicious persistent script code by manipulation of the local apple devicename information. The injection point is the devicename information and the execution point occurs in the file sharing ui panel of the air share mobile web-application. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] GET Vulnerable Parameter(s): [+] download [+] list Vulnerable Parameter(s): [+] path [+] devicename Proof of Concept: ================= 1.1 The non-persistent cross site web vulnerabilities can be exploited by remote attackers with wifi access and low user interaction. For security demonstration or to reproduce the security web vulnerability follow the provided information and steps below to continue. PoC: Vulnerable Source HTTP Error 404

HTTP Error 404: ">"