ID H1:305237 Type hackerone Reporter muon4 Modified 2018-04-10T03:36:59
Description
Basic report information
Summary:
Malicious file upload
Description:
Hello!
I noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg:
{F254353}
How ever if a user impersonate another user (just a one example) and start the conversation with localtapiola's employee and will get the message from localtapiola an attacker can upload malicious files which can be used against your employees like .svg and .exe:
{F254354}
I sended one email to me with "malicious" svg file and it came through. This could obviously contain something much more badly than just a pop up window:
{F254352}
I want to underline that I'm not 100% sure is this expected behaviour but in my opinion files like .exe should not be allowed. And why an (attacker) user should be allowed to upload anything at this point?
This is straight way to attack against your employees and/or bypass the original upload restrictions.
Domain:
secure.lahitapiola.fi
Browsers / Apps Verified In:
Newest version of FF
Steps To Reproduce:
Start conversation with secure service
When you receive the first message via this service upload any file like .exe or .svg
See that you can send these files
Impact
An attacker can bypass upload restrictions.
{"id": "H1:305237", "hash": "04d5dc27673b4106baf1625c6c5d6cdf", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "LocalTapiola: Malicious file upload (secure.lahitapiola.fi)", "description": "## Basic report information\n**Summary:** \nMalicious file upload\n\n**Description:** \nHello!\n\nI noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg:\n{F254353}\n\nHow ever if a user impersonate another user (just a one example) and start the conversation with localtapiola's employee and will get the message from localtapiola an attacker can upload malicious files which can be used against your employees like .svg and .exe:\n{F254354}\n\nI sended one email to me with \"malicious\" svg file and it came through. This could obviously contain something much more badly than just a pop up window:\n{F254352}\n\nI want to underline that I'm not 100% sure is this expected behaviour but in my opinion files like .exe should not be allowed. And why an (attacker) user should be allowed to upload anything at this point? \n\nThis is straight way to attack against your employees and/or bypass the original upload restrictions.\n\n**Domain:** \nsecure.lahitapiola.fi\n\n## Browsers / Apps Verified In:\n\n * Newest version of FF\n\n## Steps To Reproduce:\n\n 1. Start conversation with secure service\n 2. When you receive the first message via this service upload any file like .exe or .svg\n 3. See that you can send these files\n\n## Impact\n\nAn attacker can bypass upload restrictions.", "published": "2018-01-16T14:26:06", "modified": "2018-04-10T03:36:59", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/305237", "reporter": "muon4", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:11", "history": [{"lastseen": "2018-04-10T07:09:40", "bulletin": {"id": "H1:305237", "hash": "d1debb8eb62de50a4f8963bddfd67884ffb14c542060d4f8ab5fc1b3e645ae15", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "LocalTapiola: Malicious file upload (secure.lahitapiola.fi)", "description": "## Basic report information\n**Summary:** \nMalicious file upload\n\n**Description:** \nHello!\n\nI noticed that when a user sends new message you have restricted pretty strictly the files which is ok to upload. Like .svg:\n{F254353}\n\nHow ever if a user impersonate another user (just a one example) and start the conversation with localtapiola's employee and will get the message from localtapiola an attacker can upload malicious files which can be used against your employees like .svg and .exe:\n{F254354}\n\nI sended one email to me with \"malicious\" svg file and it came through. This could obviously contain something much more badly than just a pop up window:\n{F254352}\n\nI want to underline that I'm not 100% sure is this expected behaviour but in my opinion files like .exe should not be allowed. And why an (attacker) user should be allowed to upload anything at this point? \n\nThis is straight way to attack against your employees and/or bypass the original upload restrictions.\n\n**Domain:** \nsecure.lahitapiola.fi\n\n## Browsers / Apps Verified In:\n\n * Newest version of FF\n\n## Steps To Reproduce:\n\n 1. Start conversation with secure service\n 2. When you receive the first message via this service upload any file like .exe or .svg\n 3. See that you can send these files\n\n## Impact\n\nAn attacker can bypass upload restrictions.", "published": "2018-01-16T14:26:06", "modified": "2018-04-10T03:36:59", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/305237", "reporter": "muon4", "references": [], "cvelist": [], "lastseen": "2018-04-10T07:09:40", "history": [], "viewCount": 0, "enchantments": {"score": {"vector": "AV:N/AC:M/Au:M/C:P/I:P/A:P/", "value": 5.4, "modified": "2018-04-10T07:09:40"}}, "objectVersion": "1.4", "bounty": 600.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/008/416/23d72f4d3433458578a2ce1b4cc7574a935e2316_small.png?1457688936", "medium": "https://profile-photos.hackerone-user-content.com/production/000/008/416/b913929e71e6e373cc437dbd4c96b7df758fdbe6_medium.png?1457688936"}, "handle": "localtapiola", "url": "https://hackerone.com/localtapiola"}, "h1reporter": {"hacker_mediation": false, "hackerone_triager": false, "disabled": false, "is_me?": false, "username": "muon4", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/059/198/33d05756ac88489638c3e272383e3a57c3bdf080_small.png?1519214359"}, "url": "/muon4"}}, "edition": 1, "differentElements": ["h1team", "h1reporter"]}], "viewCount": 1, "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2018-04-19T17:34:11"}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:11"}, "vulnersScore": 1.0}, "objectVersion": "1.4", "bounty": 600.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/008/416/23d72f4d3433458578a2ce1b4cc7574a935e2316_small.png?1457688936", "medium": "https://profile-photos.hackerone-user-content.com/000/008/416/b913929e71e6e373cc437dbd4c96b7df758fdbe6_medium.png?1457688936"}, "handle": "localtapiola", "url": "https://hackerone.com/localtapiola"}, "h1reporter": {"hacker_mediation": false, "hackerone_triager": false, "disabled": false, "is_me?": false, "username": "muon4", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/059/198/33d05756ac88489638c3e272383e3a57c3bdf080_small.png?1519214359"}, "url": "/muon4"}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}