HackerOne: Arbitrary file uploads to Amazon WS.

2014-04-17T21:13:51
ID H1:7929
Type hackerone
Reporter leander
Modified 2014-04-26T23:13:30

Description

Hi,

It seems one is able to upload arbitrary files to Amazon Webservices through the UI.

This allows for uploading malware such as msf-payload-x86.jpg.exe or whatever.

Beyond free hosting this could potentially be used to entice teams into downloading stuff they probably don't want.

Actual exploitation would likely depend on obfuscating the filename to look more innocent, general human errors, a certain trust in files being served from hackerone-attachments.*.amazonaws.com or separate issues entirely.

I could imagine this to be working as intended but still believe it would be good to consider restrictions even if the result is to not enforce any.

I would propose to at least consider displaying a warning similar to the (excellent) one displayed when visiting an external link.

HTH,

-leander