question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Security] Unrestricted file Upload

See original GitHub issue

Description: When we install the browser. We are sent to localhost:8888. There under the profile section, we have an option to upload images. I noticed that there are no file upload restrictions hence an attacker can upload any kind of file like:-

  • Upload and host a phishing page in HTML
  • Execute malicious javascript
  • Upload trojan/backdoors to infect the victim’s system

The request to the upload file looks like this

POST /store/1GMACmsiJigwVRrHpHGD6GsD9EzWSPj9B2//avatar-0 HTTP/1.1
Host: hub.blockstack.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/html
Authorization: bearer 
Origin: http://localhost:8888
Content-Length: 143
Connection: close
<html>
<body>
Easily send and receive tokens on the Blockstack Network.
<a href="https://evil.com">Fake installation file</a>
</body>
</html>

Proof of concept: This small proof can show we can host a fake page to mislead the victim users to download a malicious file to infect their system or host a phishing page (which can be any page not limited to gaia)

Visit the link to see the proof https://gaia.blockstack.org/hub/1GMACmsiJigwVRrHpHGD6GsD9EzWSPj9B2//avatar-0

Screenshot 2020-12-05 at 9 52 01 PM

Or execute client-side javascript

Screenshot 2020-12-05 at 9 53 01 PM

Additional Notes I know gaia and the browser is no more in use. But the impact is global here at the organization level. This bug affects all the users who are using blockstack. The fake pages are severed from the official block stack domain. The domain blockstack.org is trusted and an attacker can exploit that trust to host his own pages to lure the victims to download a backdoor or tempt him to giveaways his/her private keys/credentials by hosting a fake page/ false campaign etc. Again I want to emphasize that the impact here is global as it impacts all users. The overall concept of security is to protected users from bad/malicious actors.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
hstovecommented, Dec 9, 2020

Hey @Shashank-In , thank you for spending your time looking into this. I am inclined to say this is not a security vulnerability in the Blockstack Browser, without a mechanism for executing this payload on a different user in the Blockstack Browser. Right now the Blockstack Browser only shows your avatar file as an <img src={url} />, which will not execute stored XSS. If you found something like that, please post on HackerOne. I do recognize that this is a bug in the Blockstack Browser around improper MIME types when uploading an avatar, but we have mostly deprecated non-security updates to this product, as seen in the README for this repo.

We can continue this discussion on HackerOne.

1reaction
timstackblockcommented, Dec 7, 2020

Thanks @Shashank-In we are investigating

Read more comments on GitHub >

github_iconTop Results From Across the Web

Unrestricted File Upload - OWASP Foundation
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end ...
Read more >
Unrestricted File Upload Vulnerability
Unrestricted File Upload vulnerability occurs due to insufficient or improper file-type validation controls being implemented prior to files being uploaded to ...
Read more >
Unrestricted File Upload - Invicti
A Unrestricted File Upload is an attack that is similar to a Malware Identified that -level severity. Categorized as a PCI v3.2-6.5.1, CWE-434, ......
Read more >
CWE-434: Unrestricted Upload of File with Dangerous Type
The "unrestricted file upload" term is used in vulnerability databases and elsewhere, but it is insufficiently precise. The phrase could be interpreted as ......
Read more >
Unrestricted file upload - Vulnerabilities - Acunetix
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found