Allocation of Resources Without Limits or Throttling in psi-4ward/psitransfer
Reported on
May 26th 2021
✍️ Description
Hi, with PsiTransfer
we can upload files and protect them with a password.
However, there is an IDOR that let an attacker retrieve arbitrary files and get the AES encrypted data of these files.
All is left is to perform an offline bruteforce to crack the password of this file and get the associated metadata of this file and to get the direct link like /files/sid++UUIDv4
If you protect a file with a password and you want to access it using : http://localhost:3000/2507a65aac91
you have to enter the correct password associated with the file in order to access the metada containing the direct link http://localhost:3000/files/2507a65aac91++dff0ccf6-4bef-4ab5-aef1-3e5da03f8926
Under the hood, the client is sending a request to retrieve http://localhost:3000/2507a65aac91.json
which is publically accessible as long as we guessed the 6 bytes sid.
Then an attacker can download the file and easily bruteforce the password.
In https://github.com/psi-4ward/psitransfer/blob/c53c6ad0edb0cf36de87b9d13ef6d8d4ba260bd7/lib/endpoints.js#L155
app.get(`${ config.baseUrl }:sid`, (req, res, next) => {
if (req.url.endsWith('.json')) {
const sid = req.params.sid.substr(0, req.params.sid.length - 5);
/**/
res.json({
items: db.get(sid).map(data => {
const item = Object.assign(data, { url: `${ config.baseUrl }files/${ sid }++${ data.key }` });
if (item.metadata.password) {
return AES.encrypt(JSON.stringify(data), item.metadata.password).toString();// IDOR
} else {
return item;
}
}),
/**/
});
} /**/
});
🕵️♂️ Proof of Concept
http://localhost:3000/2507a65aac91
require a password
http://localhost:3000/2507a65aac91.json
doesn't require a password, offline bruteforce is possible
💥 Impact
Attackers could have the ability to crack the passwords of the protected files and retrieve the direct URL of the protected files and download them.
Mitigation
You should perform the decryption in the server side, that way, users can't access the encrypted data of other users.
Comments from maintainer:
You can limit the filesize https://github.com/psi-4ward/psitransfer/blob/master/config.js#L60 but not the amount of buckets - thats correct. Probably one would create a PR for that?
In my opinion this is not really a security issue but more a vector for a DoS. Could also be solved on server-side (ie use a mount with limited space)
There was a little misunderstanding, the issue https://github.com/psi-4ward/psitransfer/issues/176 was reopened. And the maintainer submitted a PR (https://github.com/psi-4ward/psitransfer/pull/225/files) regarding this issue
https://github.com/psi-4ward/psitransfer/pull/225
Thanks for the heads up @zer0h-bb 👍
@psi-4ward - would you like me to re-open this report, so it can be marked as a legitimate security issue?
yes please, it case of buckets with long retention time and the probability of weak passwords the change should give more security