DFIR-IRIS Web Arbitrary File Deletion Vulnerability via Mass Assignment

A critical vulnerability exists in the DFIR-IRIS web collaborative platform, specifically in the datastore file management system, prior to version 2.4.24. The issue arises from mass assignment of the file_local_name field, which, when combined with unvalidated path trust in the delete operation, allows authenticated users to delete files from arbitrary filesystem locations. This vulnerability exploits a three-step process: first, an authenticated user uploads a file; second, the user modifies the file's local name to direct it to a chosen filesystem path using mass assignment; finally, the user activates the delete function, which removes the file without verifying the path. The deletion operation incorrectly assumes that all stored paths are safe, UUID-based system paths, leading to potential system compromise and operational disruption.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion, with the potential for significant operational disruption and system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user must first upload a file to the DFIR-IRIS datastore. Once the file is uploaded, the user can update the file's file_local_name field to reference an arbitrary path on the filesystem, taking advantage of the mass assignment feature. After the file name has been successfully changed, the user can trigger the delete operation, which will remove the file from the specified path without any validation, effectively exploiting the vulnerability.

Remediation

Users are advised to update to DFIR-IRIS version 2.4.24 or later, where this vulnerability has been fixed.