Lucene search
ByqH1:874107HistoryMay 14, 2020 - 11:37 a.m.
Mail.ru: [my.games] Stored XSS via untrusted bucket
2020-05-1411:37:28
byq
hackerone.com
106
Domain, site, application
Details
If you check page source of https://my.games, you can notice that site gets static files (scripts, styles, images) using following URL declaration:
https://my.games/hotbox/mygames/frontend/v3-6-13/img/share/main.png
mygames here is a name of S3 bucket.
After creating own S3 bucket in AWS and using https://my.games/hotbox/BUCKET_NAME/, I got βNoSuchBucketβ error.
But my comrade investigated, that hotbox is one of the available types of S3 bucket in MCS.
β¦
Preconditions
- Create your S3 bucket at https://mcs.mail.ru/app/services/storage/buckets/.
- Upload any malicious file (e.g. HTML page).
- Make this file public.
Steps to reproduce
- Open following link in browser:
https://my.games/hotbox/YOUR_BUCKET_NAME/YOUR_FILE_NAME
PoC, exploit code, screenshots, video, references, additional resources
https://my.games/hotbox/foobar1337/oops.html
{F828044}
Impact
An attacker can host any malicious file on my.games domain.