Search...

LocalTapiola: Malicious file upload (secure.lahitapiola.fi)

2018-01-16T14:26:06

ID H1:305237
Type hackerone
Reporter muon4
Modified 2018-04-10T03:36:59

Description

Basic report information

Summary: Malicious file upload

Description: Hello!

I noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg: {F254353}

How ever if a user impersonate another user (just a one example) and start the conversation with localtapiola's employee and will get the message from localtapiola an attacker can upload malicious files which can be used against your employees like .svg and .exe: {F254354}

I sended one email to me with "malicious" svg file and it came through. This could obviously contain something much more badly than just a pop up window: {F254352}

I want to underline that I'm not 100% sure is this expected behaviour but in my opinion files like .exe should not be allowed. And why an (attacker) user should be allowed to upload anything at this point?

This is straight way to attack against your employees and/or bypass the original upload restrictions.

Domain: secure.lahitapiola.fi

Browsers / Apps Verified In:

Newest version of FF

Steps To Reproduce:

Start conversation with secure service
When you receive the first message via this service upload any file like .exe or .svg
See that you can send these files

Impact

An attacker can bypass upload restrictions.

JSON Vulners Source

Initial Source

{"id": "H1:305237", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "LocalTapiola: Malicious file upload (secure.lahitapiola.fi)", "description": "## Basic report information\n**Summary:** \nMalicious file upload\n\n**Description:** \nHello!\n\nI noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg:\n{F254353}\n\nHow ever if a user impersonate another user (just a one example) and start the conversation with localtapiola's employee and will get the message from localtapiola an attacker can upload malicious files which can be used against your employees like .svg and .exe:\n{F254354}\n\nI sended one email to me with \"malicious\" svg file and it came through. This could obviously contain something much more badly than just a pop up window:\n{F254352}\n\nI want to underline that I'm not 100% sure is this expected behaviour but in my opinion files like .exe should not be allowed. And why an (attacker) user should be allowed to upload anything at this point? \n\nThis is straight way to attack against your employees and/or bypass the original upload restrictions.\n\n**Domain:** \nsecure.lahitapiola.fi\n\n## Browsers / Apps Verified In:\n\n * Newest version of FF\n\n## Steps To Reproduce:\n\n 1. Start conversation with secure service\n 2. When you receive the first message via this service upload any file like .exe or .svg\n 3. See that you can send these files\n\n## Impact\n\nAn attacker can bypass upload restrictions.", "published": "2018-01-16T14:26:06", "modified": "2018-04-10T03:36:59", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/305237", "reporter": "muon4", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:11", "viewCount": 6, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2018-04-19T17:34:11", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:11", "rev": 2}, "vulnersScore": 1.0}, "bounty": 600.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/008/416/23d72f4d3433458578a2ce1b4cc7574a935e2316_small.png?1457688936", "medium": "https://profile-photos.hackerone-user-content.com/000/008/416/b913929e71e6e373cc437dbd4c96b7df758fdbe6_medium.png?1457688936"}, "handle": "localtapiola", "url": "https://hackerone.com/localtapiola"}, "h1reporter": {"hacker_mediation": false, "hackerone_triager": false, "disabled": false, "is_me?": false, "username": "muon4", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/059/198/33d05756ac88489638c3e272383e3a57c3bdf080_small.png?1519214359"}, "url": "/muon4"}, "immutableFields": []}