Miggo Logo
Miggo Vulnerability Database
CVE-2021-41868

CVE-2021-41868: Remote unauthenticated attackers able to upload files in Onionshare

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-41868
GHSA ID
GHSA-7g47-xxff-9p85
EPSS Score
0.71356%
CWE
-
Published
11/19/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
onionshare-clipip>= 2.3, < 2.42.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper order of operations in authentication checks. Evidence from GHSA-7g47-xxff-9p85 and issue #1396 shows that: 1) The receive_mode.py file contained HTTP handlers that processed file uploads before validating credentials via Flask-HTTPAuth 2) The fix in PR #1404 removed Flask-HTTPAuth entirely and implemented Tor ClientAuth at the network layer 3) The original implementation's 'upload first, authenticate later' pattern is explicitly called out in the vulnerability reports. The handle_upload and upload_ajax functions are the primary upload entrypoints in receive_mode.py that would contain this flawed logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

OnionS**r* *.* ***or* *.* *llows r*mot* un*ut**nti**t** *tt**k*rs to uplo** *il*s on * non-pu*li* no** w**n usin* t** --r***iv* *un*tion*lity.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r or**r o* op*r*tions in *ut**nti**tion ****ks. *vi**n** *rom **S*-****-xx**-*p** *n* issu* #**** s*ows t**t: *) T** r***iv*_mo**.py *il* *ont*in** *TTP **n*l*rs t**t pro**ss** *il* uplo**s ***or* v*li**tin* *r**