Unrestricted File Upload in bigbluebutton/bigbluebutton
Reported on
Nov 2nd 2022
BigBlueButton 2.5.6 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures.
- PoC:
1- Submit the request to insertDocument, specifying the extension:
https://drive.google.com/file/d/1oNxSBgVm1m3eaQ-SXlJjChlES8oi_l_4/view?usp=share_link
2- Below we see the log file & the file on the file system:
https://drive.google.com/file/d/1sgzr4iiMsNjsjdO0tI45C5o0yI17w8us/view?usp=share_link
https://drive.google.com/file/d/1_Tb_je8DqyHMHgwSOF-kRxx5MD8ezQtP/view?usp=share_link
Impact
1- AV distribution
2- Utilizing the file with another vulnerability/issue
@@ffdixon
Hi Fred, kindly indicate if there is any update.
Hi @annfalotaibi, we've a dev working on it now.
@bigbluebutton/bigbluebutton Thank you for the confirmation, I'd appreciate it if you could mark the issue as valid, and look into the other issues especially the ones related to Greenlight as they are critical.
@farhatahmad @tainan404 Hi team, I would truly appreciate it if you could mark this finding as fixed, and publish it as a CVE (this option appears to the maintainers after marking the issue as fixed).
@tainan404 Hi Tainan, I'd appreciate it if you could release a CVE on that from your end through Github.
Hi @annfalotaibi,
I have requested a CVE as part of https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc Typically it takes up to a day to get it, I'll keep you posted!