External Control of File Name or Path in hascheksolutions/opentrashmail

Valid
Reported on Jun 25th 2021

✍️ Description

Attackers can control the filesystem path argument to readfile() at api.php line 35 for ?email= parameter, which allows them to access or modify otherwise protected files.

Analysis Trace:

  1. application take unsensitized input at: $email = strtolower($_REQUEST['email']);
  2. Assigning user input to filepath: $filepath = ROOT.DS.'..'.DS.'data'.DS.$email.DS.'attachments'.DS.$id.'-'.$filename;
  3. Finally read file at: readfile($filepath);

🕵️‍♂️ Proof of Concept

1. Visit /api.php?action=attachment&email=\..\..\..\..\..\Windows\win.ini&id=valid_id&filename=valid_finalname where the GET variables were properly replaced, you can see arbitrary files on the serve.

💥 Impact

The program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker. Arbitrary file read, leakage of information.

We have contacted a member of the hascheksolutions/opentrashmail team and are waiting to hear back a month ago
Christian Haschek validated this vulnerability a month ago
Akshay Jain has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Akshay Jain submitted a
a month ago
Akshay Jain
a month ago

Researcher


Hi Christian, I have submitted the patch for this. Please check.

Akshay Jain
a month ago

Researcher


Hi @Christain, any updates?

Christian
a month ago

Maintainer


Looking good, can you make a pull request?

Akshay Jain
a month ago

Researcher


Akshay Jain
a month ago

Researcher


Also, I have one pending issue, can you please validate it? :) Thanks! https://www.huntr.dev/bounties/1624705958693-HaschekSolutions/opentrashmail/