Unrestricted File Upload in Part Attachment in inventree/inventree

Valid

Reported on

Jun 11th 2022


Description

The application inventree allows users to upload any file in part attachment allowing attacker to render files such as HTML in the browser.

Proof of Concept

Video PoC Link: https://drive.google.com/file/d/1vurBkHegeYCwbXopE5Yhyb702rYgG9FM/view?usp=sharing

Impact

Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)

References

We are processing your report and will contact the inventree team within 24 hours. a month ago
Matthias Mair
25 days ago

As of now, this is intended. Any file can be added by authorized users. I will discuss this with the team and then we will decide how to classify this.

Matthias Mair has marked this vulnerability as informative 24 days ago

Hi there @saharshtapi . The dev team decided this is expected behaviour. We will add notes to our docs and maybe the ui and thank you for your consideration. It is a core workflow to upload html test reports via the api so we can not cut this option.

The disclosure bounty has been dropped
The fix bounty has been dropped
The researcher's credibility has not been affected
saharshtapi
24 days ago

Researcher


I totally understand but a better practice would be do download the file on clicking the link rather than opening in the browser using the servers URL. Doing this will prevent any kind of XSS attack which can allow an attack to change privileges or other harmful scenarios, as the file will be getting downloaded.

Oliver
23 days ago

@saharshtapi a very good point and I will issue a fix to ensure files are downloaded rather than opened directly in the browser.

saharshtapi
23 days ago

Researcher


@maintainer can you please valid this report as you can see my perspective now as many applications also face the similar issue and I think I can ask this much in return 😃🦾.

Matthias Mair
23 days ago

We are working on that - it seems to be a manual process to change that.

Jamie Slome
22 days ago

Admin


I've reopened the report for you ♥️ Feel free to proceed as you wish @maintainer!

Oliver validated this vulnerability 22 days ago
saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver confirmed that a fix has been merged on 26bf51 22 days ago
Oliver has been awarded the fix bounty
Matthias Mair
22 days ago

@saharshtapi sorry for the delay and thank you for suggesting the fix we didn't think about before!

saharshtapi
22 days ago

Researcher


@maintainer great work on fixing all the bugs in such a short time. 🎉🍾

Matthias Mair
22 days ago

@sarahstapi we try to keep our users safe - if the community keeps reporting we will keep fixing ;-). All XSS reports were caused by the same error so the fix by @Oliver was released in under 1 day after we decided it was an issue.

saharshtapi
21 days ago

Researcher


@admin Can you assign CVE?

Jamie Slome
21 days ago

Admin


Before we proceed with CVEs for each of the reports, we first require the permission of the maintainer 👍

@maintainer - are you happy for us to assign and publish CVEs for each of the recent valid reports?

Oliver
21 days ago

All confirmed reports have now been patched and published here - https://github.com/inventree/InvenTree/security/advisories?state=published

So yes, we are happy for these to be made public now

Jamie Slome
20 days ago

Admin


That is great - shall I proceed with a CVE for each valid and public report? A CVE is good practice and allows users of your software to know about the vulnerability in a responsible way :)

Oliver
20 days ago

Please do!

saharshtapi
20 days ago

Researcher


Thank you @oliver!!

Jamie Slome
20 days ago

Admin


CVE assigned: CVE-2022-2111

It should be published shortly too 👏 Feel free to update the relevant GitHub Security Advisory with the CVE number stated above.

Matthias Mair
20 days ago

Sorry if I am coming in late herebut all the XSS reportsare the exact same issue and fix - that should be only 1 CVE right?

saharshtapi
20 days ago

Researcher


Looking at other application’s reports and cve database the cve’s were assigned to all XSS.

Jamie Slome
17 days ago

Admin


Because I facilitated this manually, we have only allotted one CVE for all of the XSS issues, as they only required a single fix to address all of the issues 👍

saharshtapi
17 days ago

Researcher


Understood!!

Matthias Mair
17 days ago

@admin thank you for the response. I was not sure if this is automated and might lead to spam in the CVE database- which might not be good.

to join this conversation