VHX: Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv

2018-11-29T14:55:03
ID H1:452559
Type hackerone
Reporter sp1d3rs
Modified 2019-07-10T19:12:30

Description

By modifying the Content-Type to be blank, during a PUT command, the researcher was able to upload files to the CDN. This has been resolved. It was possible to write (and overwrite) arbitrary files to the CDN ( vpe.cdn.vimeo.tv ) used for JS scripts delivery on the various in-scope assets using the PUT method with blank or application/octet-stream Content-Type. Any other Content-Type caused auth error from Google Cloud Storage side. Example: ``` PUT /something.js HTTP/1.1 Host: vpe.cdn.vimeo.tv Content-Type: application/octet-stream Content-Length: 10 Connection: close

alert(document.domain) `` could createsomething.jswith XSS payload or overwritesomething.js` if it already exist.

The issue was fixed fast. Thanks to the VHX team for the great experience, awesome communication and the bounty!