Unrestricted Upload of File with any dangerous extension in polonel/trudesk
Reported on
Jun 2nd 2022
Description
Unrestricted Upload of File with any extension
Proof of Concept
1. Create a ticket
2. Upload a file with any dangerous extension
3. Intercept the request in Burp Suite, replace the Content-Type with image/jpeg
POC video:
https://drive.google.com/file/d/1FwS6zC1YaYXBFoPUsTqmjdM1V5buHDT-/view?usp=sharing
Impact
- Normal user can update a dangerous file that threat to the system
- Another users may download the dangerous file
Occurrences
Hi @maintainer, I see you read the report. Is it hard to understand or my PoC video does not work? You can ask me something. Thank you!
@admin hi admin, can you help me contact to maintainer? Thanks!
@lengochoa7112000 - our system will automatically continue to ping the maintainer. Please have patience. This maintainer is usually very active and so you should hear back from them shortly. To see how active they are, feel free to view their repository page:
This has been fixed in v1.2.4. I will update this report once it is released.