Unrestricted Upload of File with Dangerous Type in cortezaproject/corteza-server
Aug 20th 2021
Hi team i found an Unrestricted File Upload on https://latest.cortezaproject.org/ which let me upload anything. File Extensions Such as .html , .svg and others should not be executed on the server side.
🕵️♂️ Proof of Concept
Step to Reproduce 1- Go to the Employees tab and choose an employee to change their photo 2- After click on clone to upload a file 3- Upload your shell saved as svg as profile picture. 4- After we click on save , we notice that the file is saved in the server with a svg extension
the svg file contains the following payload: which is allowed us to display cookies stored in the localstorage for example:
******* Remaque : this vulnerability is present in all image upload tabs
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, and simple defacement.Here is the list of attacks that the attacker might do:
--Compromise the web server by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack
other servers, and exploit the local vulnerabilities, and so forth.
--Put a phishing page into the website.
--Put a permanent XSS into the website.
--Bypass cross-origin resource sharing (CORS) policy and exfiltrate potentially sensitive data.
--Upload a file using malicious path or name which overwrites critical file or personal data that other users access. For example; the attacker might ---