FileSender is an open-source web application designed for securely transferring large files. The idea for FileSender was born in 2007 during a task-force meeting of the pan-European network for the research and education community GÉANT. Its main goals were to facilitate painless sharing of arbitrarily large files with a private audience through a trusted intermediary. The governance of the open-source project has been organized as a program within the Commons Conservancy foundation.
FileSender is primarily built using PHP and utilizes MySQL or PostgreSQL for its database management. Over the years, it has evolved to support various features such as user authentication, file encryption, audit trail, guest access, customizable user interfaces.
An important fact to mention is that client side encryption is supported. This means that during upload the user has the option to encrypt the file to be transferred; this happens blob-by-bob, and the entire process is handled inside the browser using a self-chosen password. These encrypted blobs get uploaded to the FileSender instance, and the downloader locally decrypts these blobs using the password. If any data is stolen from the instance it will be protected by the password.
Currently, FileSender is widely used by educational institutions, research organizations, and businesses around the world that need a reliable way to send large files securely. My hospital, Amsterdam University Medical Center, and the University of Amsterdam being one of them for the last 15 years.
As we aim to identify impactful bugs, this could be an excellent target for a closer examination. Particularly, since SURF, which offers the service under the brand SURFfilesender, supports the principles of coordinated vulnerability disclosure.
FileSender is typically used by authenticated users to send files, therefore we want to find a bug that does not require any authentication and find a way to impact all the filesender instances that are online.
To map all the unauthenticated paths we start Burp Suite, MITM our browser (or try Caido), and try all functionalities that exists in FileSender!
One of the most interesting endpoints are the ones used to download files. Obviously the receiver could be anyone (as any email address is allowed), and that means unauthenticated functionality to test with.
After some testing I discovered that if a file is expired (by default after 7 days it will be deleted) an error would be returned: