CVE-2024-47067
📋 TL;DR
AList file management software contains a reflected cross-site scripting vulnerability where user input is directly reflected in XML responses without proper sanitization. This allows attackers to inject malicious scripts that execute in victims' browsers when they visit crafted URLs. All AList instances running versions before 3.29.0 are affected.
💻 Affected Systems
- AList
📦 What is this software?
Alist by Alistgo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware to users accessing the vulnerable endpoint.
Likely Case
Session hijacking leading to unauthorized access to stored files, credential theft, or defacement of the AList interface.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is straightforward due to reflected input without sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.29.0
Vendor Advisory: https://github.com/alist-org/alist/commit/6100647310594868e931f3de1188ddd8bde93b78
Restart Required: Yes
Instructions:
1. Backup your AList configuration and data. 2. Stop the AList service. 3. Update to version 3.29.0 or later using your package manager or by downloading from GitHub. 4. Restart the AList service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads targeting the /i/:link_name endpoint.
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources.
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict access to the AList instance using network controls (firewall rules) to only trusted users.
- Implement input validation at the reverse proxy/load balancer level to sanitize user input in the /i/:link_name endpoint.
🔍 How to Verify
Check if Vulnerable:
Test by accessing /i/<script>alert('xss')</script> endpoint and checking if script executes in browser. Use browser developer tools to inspect response.Check Version:
./alist version or check the web interface footer for version information.Verify Fix Applied:
After updating to 3.29.0+, test the same payload - it should be properly encoded and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /i/ endpoint with script tags or JavaScript payloads
- Multiple failed login attempts following XSS payload requests
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in the /i/:link_name path parameter
SIEM Query:
source="alist.log" AND uri_path="/i/*" AND (http_user_agent CONTAINS "<script>" OR uri_path CONTAINS "<script>")