Today I was inspired by Brute’s XSS experience and tried to exploit a few file sharing services. With alarming success!
While all the big players like DropBox are running public bug bounty programs and the most flaws are maintained in the meantime, the not-so-big players are often full of flaws.
To name a few of them:
- directupload.net (OBB-554346)
- imagehousing.com (OBB-554348)
- filemail.com (OBB-554527)
- filetea.me (OBB-554549)
The vulnerability details for those sites are still on hold so please refer to those reports later for tech details.
But it’s always the same kind of flaw. They are not or not properly checking the file names of the uploaded files. While Windows is not really giving the chance to create files containing HTML-tags in file names, Linux or Mac based systems do.
So, I can simply upload an arbitrary file with the file name of:
"><img src=x onerror=alert(1)>.txt
Imagine all the possible XSS attack vectors not simply reflected but, at least for a given period of time, are stored there now. And making it even easier for attackers, often these kind of file sharing services deleting the uploaded files automatically after a couple of hours or days. Perfect!
Better think twice in future when receiving a file download link. You never know what’s behind that. One click and it could be too late.
Let’s wait and see, and hope, that the services I found vulnerable now will ping back to me to patch these flaws.
I will keep this kind of vulnerability on my to plist and try to exploit also closed systems in future.