microbin

Valid

Reported on

Jul 14th 2022

Description

The file upload functionality allows a user to attach a file to a paste. When an attacker views the attached file he can alter the path (e.g. via burpsuit) and read any file in the working directory via the relative path. This also accounts for private pastes. The attacker needs information on the file name, however the database.json file is always located at ../database.json and contains information on all pastes. This can cause the application data to be compromised.

To fix this, filtering out the dots should be enough.

Proof of Concept

Use burp to intercept the GET Request to /file/foo-bar-test/file.txt and change it to /file/../database.json This will get the file contents of the database.

Impact

Reveal any data within the servers working directory.

We are processing your report and will contact the szabodanika/microbin team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

ablgh modified the report

a year ago

We have contacted a member of the szabodanika/microbin team and are waiting to hear back a year ago

We have sent a follow up to the szabodanika/microbin team. We will try again in 7 days. a year ago

We have sent a second follow up to the szabodanika/microbin team. We will try again in 10 days. a year ago

Dániel Szabó validated this vulnerability a year ago

ablgh has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Dániel Szabó marked this as fixed in 1.1.0 with commit 05941f a year ago

Dániel Szabó has been awarded the fix bounty

This vulnerability will not receive a CVE

Dániel Szabó gave praise a year ago

This has been addressed by isolating database.json from the served files

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation