The application allows uploading media files through the "id" parameter and the file name must be uploaded with the following format "image_name.ext". In the album page, the vulnerable code is as follows:
input type="hidden" name="id" value=""> The above input is a hidden input, that means you cannot see the input value when you submit the form. The issue occurs due to insecure flow of data because of lack of validation of the "id" parameter. An attacker can inject malicious code in the form and get the user's access. A proof of concept is shown below. The file name must be "album-with-injection.ext" and the vulnerable code is displayed above. input type="hidden" name="id" value="">
How to trigger the vulnerability?
- Uploading media files
- The album page
- Input type="hidden" name="id" value="">
Timeline
Published on: 11/17/2022 00:15:00 UTC
Last modified on: 11/17/2022 23:26:00 UTC