Improper Access Control in liukuo362573/yishaadmin

Valid

Reported on

Feb 10th 2022

Description

https://www.github.com/liukuo362573/yishaadmin has an endpoint "/admin/File/UploadFile" that allows uploading files without authentication.

Root-cause

Server doesn't check user's permission when attacker access the endpoint. After that, server will directly call UploadFile function with the parameters provided by the attacker, leads to many information security risks.

Impact

Unauthenticated user can upload file to server. The server has performed file format check in UploadFile function, but attacker can continuously upload it, causing low of hard disk.

We are processing your report and will contact the liukuo362573/yishaadmin team within 24 hours. a year ago
nhiephon
a year ago

Researcher

Note: The app allows for a maximum file upload of 5MB. Thus the attacker can upload 205 files to take up 1GB of storage. The simplest way to solve the issue is to implement authentication to avoid attacks from unauthenticated users.

nhiephon modified the report
a year ago
We have contacted a member of the liukuo362573/yishaadmin team and are waiting to hear back a year ago
liukuo362573 validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
liukuo362573 marked this as fixed in 3.1 with commit 43f574 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
nhiephon
a year ago

Researcher

Hi @maintainer,

Why don't you do the fix with the file at https://github.com/liukuo362573/YiShaAdmin/blob/master/YiSha.Web/YiSha.Admin.WebApi/Controllers/FileController.cs#L21?

Also, please review the 2 reports below as the patch is incomplete.

  • https://huntr.dev/bounties/7d45276b-6ef8-4187-9399-45e31df52ad4/
  • https://huntr.dev/bounties/2acdd87a-12bd-4ce4-994b-0081eb908128/

Regards.

to join this conversation